What is a SAML Assertion?

calendar Jul 2, 2015 · 3 min read · SAML  ·
Share on: linkedin copy

If you are just starting out trying to understand SAML you will come across the term SAML Assertion quite quickly. In this post or tutorial, I will try to explain to you what a SAML Assertion is and give you some examples on how they could look. This post mainly looks at the SAML Assertion in the perspective of the SAML Web Browser Profile. If you don't know what that is, have a look on my post about exactly that

What is a SAML Assertion?

The SAML Assertion is the main piece in the SAML puzzle. This is the object that the rest of SAML is build to safely build, transport and use.

A SAML Assertion is basically a package with security information about a entity.(e.g. A user) issued from the Identity Provider(IdP) to the Service Provider(SP). When the user has authenticated with the IdP a SAML Assertion is sent to the SP with the IdPs information about that user.

What does a SAML Assertion contain?

The SAML Assertion contains some general information like, who sent it, what time it was sent and validity period of the assertion. The assertion also contains statements about a user. These come in three different types.

Authentication

The authentication statement contains, not surprisingly, information about the authentication of the user. Mainly when and by what means the user was authenticated.

1<saml:authnstatement 
2      authninstant="2010-11-04T14:04:30Z" 
3      sessionindex="s22428b07e56ce0dbd3f72237ce29c585541db5d01">
4   <saml:authncontext>
5      <saml:authncontextclassref>
6         urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
7      </saml:authncontextclassref>
8   </saml:authncontext>
9</saml:authnstatement>

Attribute

The attribute statement can contain application specific attributes connected to the user, for example. Address, telephone number social security number.

 1<saml:attributestatement>
 2   <saml:attribute name="social">
 3      <saml:attributevalue 
 4            xmlns:xs="http://www.w3.org/2001/XMLSchema"
 5            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 6            xsi:type="xs:string">
 7         555501234
 8      </saml:attributevalue>
 9   </saml:attribute>
10   <saml:attribute name="email">
11      <saml:attributevalue 
12            xmlns:xs="http://www.w3.org/2001/XMLSchema" 
13            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
14            xsi:type="xs:string">
15         someone@example.com
16      </saml:attributevalue>
17   </saml:attribute>
18   <saml:attribute name="telephone">
19      <saml:attributevalue 
20            xmlns:xs="http://www.w3.org/2001/XMLSchema" 
21            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
22            xsi:type="xs:string">
23         546848134886
24      </saml:attributevalue>
25   </saml:attribute>
26</saml:attributestatement>

Authorization

The authorization statement contains information about the users access rights to different resources. This statement can be used for basic authorization. For more advanced authorization cases I recommend taking a look at the XACML standard

1<saml:authorizationdecisionstatement 
2      decision="Permit" 
3      resource="http://www.example.org/customers/getCustomers">
4   <saml:action>Read</saml:action> 
5</saml:authorizationdecisionstatement>

What does a SAML Assertion look like?

Here is an example on what a whole can look like.

 1<saml:assertion 
 2      id="s2365479533bf942f8eaaa2c267f9bd4ff679ebc1f" 
 3      issueinstant="2011-01-24T08:47:50Z" 
 4      version="2.0" 
 5      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
 6   <saml:issuer>IDP-alias</saml:issuer>
 7   <saml:subject>
 8      <saml:nameid 
 9            format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" 
10            namequalifier="IDP-alias" 
11            spnamequalifier="my-alias">
12         5VkzP/MZ1PMJ62o45/7DdFms9y7K
13      </saml:nameid>
14      <saml:subjectconfirmation method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
15         <saml:subjectconfirmationdata 
16               inresponseto="_bba7e8a2f7a7c51e339d614b2c2d1178" 
17               notonorafter="2011-01-24T08:57:50Z" 
18               recipient="https://myIDP.test.com/saml/consumer">
19         </saml:subjectconfirmationdata>
20      </saml:subjectconfirmation>
21   </saml:subject>
22   <saml:conditions notbefore="2011-01-24T08:37:50Z" notonorafter="2011-01-24T08:57:50Z">
23      <saml:audiencerestriction>
24         <saml:audience>my-alias</saml:audience>
25      </saml:audiencerestriction>
26   </saml:conditions>
27   <saml:authnstatement 
28         authninstant="2011-01-24T08:47:50Z" 
29         sessionindex="s212cd7811734a92405b6ef8308a1b1a98e32e6f01">
30      <saml:authncontext>
31         <saml:authncontextclassref>
32            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
33         </saml:authncontextclassref>
34      </saml:authncontext>
35   </saml:authnstatement>
36   <saml:attributestatement>
37      <saml:attribute name="social">
38         <saml:attributevalue 
39               xmlns:xs="http://www.w3.org/2001/XMLSchema" 
40               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
41               xsi:type="xs:string">
42            555501234
43          </saml:attributevalue>
44      </saml:attribute>
45      <saml:attribute name="email">
46         <saml:attributevalue 
47               xmlns:xs="http://www.w3.org/2001/XMLSchema" 
48               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
49               xsi:type="xs:string">
50            someone@example.com
51         </saml:attributevalue>
52      </saml:attribute>
53      <saml:attribute name="telephone">
54         <saml:attributevalue 
55               xmlns:xs="http://www.w3.org/2001/XMLSchema" 
56               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
57               xsi:type="xs:string">
58            546848134886
59         </saml:attributevalue>
60      </saml:attribute>
61   </saml:attributestatement>
62</saml:assertion>