Defining SAML Assertions
A SAML assertion is a declaration of fact about a subject. SAML defines three types of assertions that can be made about a given subject:
- Authentication: The subject is authenticated using a given authentication assertion method at a given time.
- Attribute: The subject has a given attribute.
- Authorization: The subject should or should not be granted access to a given resource.
The SAML specification is designed so that extensions can be made to include new types of information in an assertion. Assertions might or might not (depending on the transport mechanism) be digitally signed by their issuer.
Defining SAML Assertion Attributes
All assertions contain a number of required attributes:
Issuer identifier: An issuer name that allows the receiver of the assertion to know who it came from.
Issuance time stamp: Indicates the exact time the assertion was generated.
Subject: A name along with a security domain. The subject can also contain confirmation data.
Conditions: A set of conditions under which the assertion should be accepted. SAML includes a built-in condition called a validity period that indicates when the assertion becomes valid and when it ceases to be valid.
Optional Advice: Discretionary information that can be ignored by the Relying Party.
In order to be useful, SAML assertions must "assert" something. Statements about a user's authenticity, attributes, or authorization are placed under the main assertion element. An assertion must contain at least one statement.
SAML Authentication Statements
An authentication statement asserts that a subject S authenticated to the issuing system using method M at time T. A Relying Party receiving an assertion containing an authentication statement can choose to accept the user authentication performed at the issuer's site. The authentication statement provides SAML SSO functionality.
The example below shows a simple SAML authentication assertion. For this example, the assertion does not contain any of the optional SAML data, nor does it declare the required SAML namespace. The assertion states that user cn=joe,o=novell authenticated to Novell at the specified time using the password method.
Figure 1Simple SAML Authentication Assertion
SAML Attribute Statements
An attribute statement asserts that a subject S has attribute A in namespace N with value(s) V. A Relying Party can associate the subject with the provided attribute. This allows a Relying Party to create customize its application for external users. It also allows users accessing a site using SAML to be auto-provisioned with appropriate user data.
The example below shows a simple SAML attribute assertion. For this example, the assertion does not contain any of the optional SAML data, nor does it declare the required SAML namespace. The assertions states that user cn=joe,o=novell has attribute Email in namespace urn:test:attributes with value joe@novell.com.
Figure 2Simple SAML Attribute Assertion
SAML Authorization Statements
Authorization decision assertions are issued by a Policy Decision Point and are used to determine if a subject S should be granted access to a resource R with access type A, given the provided evidence E. The subject can be any entity, either a human user or a program, that wants access to a resource. The resource can represent any data or service that requires access control.
The example below shows a simple SAML authorization decision assertion. For this example, the assertion does not contain any of the optional SAML data, nor does it declare the required SAML namespace. The assertion states that user cn=joe,o=novell should be granted access to the Buy action on the uri:novell.com/buy_stuff resource.
Figure 3Simple SAML Authorization Decision Assertion
