SAML assertions
In Security Assertion Markup Language (SAML), an assertion contains a packet of security information.
Description
Assertion structure:
<saml:Assertion ...> .. </saml:Assertion>
Loosely speaking, a relying party interprets an assertion as follows:
Assertion A was issued at time t by issuer R regarding subject S provided conditions C are valid.
SAML assertions are usually transferred from identity providers to service providers. Assertions contain statements that service providers use to make access-control decisions.
Three types of statements are provided by SAML:
- Authentication statements
- Attribute statements
- Authorization decision statements
Authentication statements assert to the service provider that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication. Other information about the authenticated principal (called the authentication context) may be disclosed in an authentication statement.
An attribute statement asserts that a subject is associated with certain attributes.
An attribute is simply a name-value pair.
Relying parties use attributes to make access-control decisions.
An authorization decision statement asserts that a subject is permitted to perform action A on resource R given evidence E.
The expressiveness of authorization decision statements in SAML is intentionally limited.
More-advanced use cases are encouraged to use XACML instead.
See also
External links
- SAML assertions @ Wikipedia