Thursday, July 2, 2015

What is a SAML Assertion?

If you are just starting out trying to understand SAML you will come across the term SAML Assertion quite quickly. In this post or tutorial, I will try to explain to you what a SAML Assertion is and give you some examples on how they could look. This post mainly looks at the SAML Assertion in the perspective of the SAML Web Browser Profile. If you don't know what that is, have a look on my post about exactly that

What is a SAML Assertion?


The SAML Assertion is the main piece in the SAML puzzle. This is the object that the rest of SAML is build to safely build, transport and use.

A SAML Assertion is basically a package with security information about a entity.(e.g. A user) issued from the Identity Provider(IdP) to the Service Provider(SP). When the user has authenticated with the IdP a SAML Assertion is sent to the SP with the IdPs information about that user.

What does a SAML Assertion contain?

The SAML Assertion contains some general information like, who sent it, what time it was sent and validity period of the assertion. The assertion also contains statements about a user. These come in three different types.

Authentication

The authentication statement contains, not surprisingly, information about the authentication of the user. Mainly when and by what means the user was authenticated.


   
      
         urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
      
   

Attribute

The attribute statement can contain application specific attributes connected to the user, for example. Address, telephone number social security number.


   
      
         555501234
      
   
   
      
         someone@example.com
      
   
   
      
         546848134886
      
   

Authorization

The authorization statement contains information about the users access rights to different resources. This statement can be used for basic authorization. For more advanced authorization cases I recommend taking a look at  the XACML standard


   Read 



What does a SAML Assertion look like?

Here is an example on what a whole can look like.


   IDP-alias
   
      
         5VkzP/MZ1PMJ62o45/7DdFms9y7K
      
      
         
      
   
   
      
         my-alias
      
   
   
      
         
            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
         
      
   
   
      
         
            555501234
          
      
      
         
            someone@example.com
         
      
      
         
            546848134886
         
      
   



Questions?

If you have any questions please drop a comment in on this post and I will answer it as soon as possible.

Further reading

In my book, A Guide to OpenSAML, I describe the SAML Assertion and the rest of SAML in detail.

A Guide to OpenSAML

8 comments:

  1. Hello!

    We are trying to generate an assertion with OpenSaml and we have some doubts. Is your help possible?

    Thank you

    ReplyDelete
    Replies
    1. Sure, this blog and my book, a Guide to OpenSAML, gives som general introduction and help on OpenSAML. It does however not include anything on creating the assertion. For this you will have to do some resarch. Feel free to ask me questions when you have them

      Delete
  2. Hi,

    I've read parts of your book. Thank you for it, it has helped me a lot!! As your project as a base, I'm setting up a small POC connecting to Google as the SAML IdP (I created a SAML app on google using Admin Console).

    After I send the AuthnRequest, instead of getting SAMLArt, I receive a SAMLResponse. The SAMLResponse is over 6k characters long. I don't know how it should be treated but with that aside:

    I've packaged the SAMLResponse as the Artifact inside the ArtifactResolve. Now I get this error "No KeyInfoGenerator was supplied in parameters or resolvable for credential type org.opensaml.security.X509.X509Credential, No KeyInfo will be generated for signature .... "

    I cannot seem to get past it. Am I responding to the wrong binding? Is it possible that Google isn't able to use my AuthnRequest properly i.e. recognize it as an HTTP-Artifact binding?

    Your help is truly appreciated.



    ReplyDelete
    Replies
    1. Just making sure I have notify me checked off :)

      Delete
    2. Hi, there are different ways in which the IDP can send you the Assertion. Artifact is one way is one way. If artifact is used the IDP send you a Artifact you send it back and you get a SAML Response. Another method is that the IDP send the Assertion directly in a SAML Response. This is what you got. So instead of having to send the Artifact you already have the Response. The Assertion is inside the Response object

      Delete
    3. Right! I realized that, and now I'm doing response.getSignature after giving it the element, but I can't find a way to validate it. I've tried to use the ProfileValidator, but I think I'm missing pieces. Do you know a good resource for it? Or should I dig into the book again?

      Delete
    4. I have a chapter on it at the end of the book, but I see that I have done a mistake in the book. The Signature validator in OpenSAML V3 is no longer instantiated but instead a static method on SignatureValidator. Use the SignatureValidator.validate method

      Delete
  3. This comment has been removed by the author.

    ReplyDelete