A SAML assertion is a declaration of fact about a subject. SAML defines three types of assertions that can be made about a given subject:
The SAML specification is designed so that extensions can be made to include new types of information in an assertion. Assertions might or might not (depending on the transport mechanism) be digitally signed by their issuer.
All assertions contain a number of required attributes:
Conditions: A set of conditions under which the assertion should be accepted. SAML includes a built-in condition called a validity period that indicates when the assertion becomes valid and when it ceases to be valid.
In order to be useful, SAML assertions must "assert" something. Statements about a user's authenticity, attributes, or authorization are placed under the main assertion element. An assertion must contain at least one statement.
An authentication statement asserts that a subject S authenticated to the issuing system using method M at time T. A Relying Party receiving an assertion containing an authentication statement can choose to accept the user authentication performed at the issuer's site. The authentication statement provides SAML SSO functionality.
The example below shows a simple SAML authentication assertion. For this example, the assertion does not contain any of the optional SAML data, nor does it declare the required SAML namespace. The assertion states that user cn=joe,o=novell authenticated to Novell at the specified time using the password method.Figure 1
An attribute statement asserts that a subject S has attribute A in namespace N with value(s) V. A Relying Party can associate the subject with the provided attribute. This allows a Relying Party to create customize its application for external users. It also allows users accessing a site using SAML to be auto-provisioned with appropriate user data.
The example below shows a simple SAML attribute assertion. For this example, the assertion does not contain any of the optional SAML data, nor does it declare the required SAML namespace. The assertions states that user cn=joe,o=novell has attribute Email in namespace urn:test:attributes with value firstname.lastname@example.org.Figure 2
Authorization decision assertions are issued by a Policy Decision Point and are used to determine if a subject S should be granted access to a resource R with access type A, given the provided evidence E. The subject can be any entity, either a human user or a program, that wants access to a resource. The resource can represent any data or service that requires access control.
The example below shows a simple SAML authorization decision assertion. For this example, the assertion does not contain any of the optional SAML data, nor does it declare the required SAML namespace. The assertion states that user cn=joe,o=novell should be granted access to the Buy action on the uri:novell.com/buy_stuff resource.Figure 3