Difference between revisions of "SAML assertions"
Karl Jones (Talk | contribs) (Created page with "In Security Assertion Markup Language (SAML), an assertion contains a packet of security information. == Description == Assertion structure: <pre> <saml:Assertion ...>...") |
Karl Jones (Talk | contribs) |
||
Line 1: | Line 1: | ||
− | In [[Security Assertion Markup Language]] (SAML), an assertion contains a packet of security information. | + | In [[Security Assertion Markup Language]] (SAML), an '''assertion''' contains a packet of security information. |
== Description == | == Description == |
Revision as of 10:14, 14 October 2015
In Security Assertion Markup Language (SAML), an assertion contains a packet of security information.
Description
Assertion structure:
<saml:Assertion ...> .. </saml:Assertion>
Loosely speaking, a relying party interprets an assertion as follows:
Assertion A was issued at time t by issuer R regarding subject S provided conditions C are valid.
SAML assertions are usually transferred from identity providers to service providers. Assertions contain statements that service providers use to make access-control decisions.
Three types of statements are provided by SAML:
- Authentication statements
- Attribute statements
- Authorization decision statements
Authentication statements assert to the service provider that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication. Other information about the authenticated principal (called the authentication context) may be disclosed in an authentication statement.
An attribute statement asserts that a subject is associated with certain attributes.
An attribute is simply a name-value pair.
Relying parties use attributes to make access-control decisions.
An authorization decision statement asserts that a subject is permitted to perform action A on resource R given evidence E.
The expressiveness of authorization decision statements in SAML is intentionally limited.
More-advanced use cases are encouraged to use XACML instead.
See also
External links
- SAML assertions @ Wikipedia