SAML assertions

From Wiki @ Karl Jones dot com
Jump to: navigation, search

In Security Assertion Markup Language (SAML), an assertion contains a packet of security information.

Description

Assertion structure:

 <saml:Assertion ...>
   ..
 </saml:Assertion>

Loosely speaking, a relying party interprets an assertion as follows:

Assertion A was issued at time t by issuer R regarding subject S provided conditions C are valid.

SAML assertions are usually transferred from identity providers to service providers. Assertions contain statements that service providers use to make access-control decisions.

Three types of statements are provided by SAML:

  • Authentication statements
  • Attribute statements
  • Authorization decision statements


Authentication statements assert to the service provider that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication. Other information about the authenticated principal (called the authentication context) may be disclosed in an authentication statement.

An attribute statement asserts that a subject is associated with certain attributes.

An attribute is simply a name-value pair.

Relying parties use attributes to make access-control decisions.

An authorization decision statement asserts that a subject is permitted to perform action A on resource R given evidence E.

The expressiveness of authorization decision statements in SAML is intentionally limited.

More-advanced use cases are encouraged to use XACML instead.

See also

External links