SAML Assertion

SAML Assertion is a digitally signed XML document issued by an Identity Provider that contains statements about a subject (user). It's the core of SAML authentication, carrying identity information that Service Providers trust.

Assertion Structure

<saml:Assertion Version="2.0" ID="_abc123"
    IssueInstant="2024-01-15T10:30:00Z">

  <saml:Issuer>https://idp.example.com</saml:Issuer>

  <ds:Signature>...</ds:Signature>

  <saml:Subject>
    <saml:NameID>user@example.com</saml:NameID>
    <saml:SubjectConfirmation Method="bearer">
      <saml:SubjectConfirmationData
          NotOnOrAfter="2024-01-15T10:35:00Z"
          Recipient="https://sp.example.com/acs"/>
    </saml:SubjectConfirmation>
  </saml:Subject>

  <saml:Conditions
      NotBefore="2024-01-15T10:29:00Z"
      NotOnOrAfter="2024-01-15T10:35:00Z">
    <saml:AudienceRestriction>
      <saml:Audience>https://sp.example.com</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>

  <saml:AuthnStatement
      AuthnInstant="2024-01-15T10:30:00Z"/>

  <saml:AttributeStatement>
    <saml:Attribute Name="role">
      <saml:AttributeValue>admin</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

Statement Types

• Authentication Statement: When/how user authenticated
• Attribute Statement: User attributes (name, role, email)
• Authorization Decision Statement: Access decisions (rare)

Validation Requirements

• Verify XML signature
• Check Issuer matches trusted IdP
• Validate time conditions (NotBefore, NotOnOrAfter)
• Verify Audience includes SP's entity ID
• Check Recipient matches ACS URL

See Also

• SAML
• SAML NameID
• XML Signature Wrapping