Home

SAMLAssertions

SAML assertions are the core data elements used in the Security Assertion Markup Language (SAML) for web-based single sign-on. An assertion is an XML document issued by a SAML identity provider (IdP) about a principal (the subject). It conveys authentication information, attribute data, and optionally authorization decisions, intended for a specific service provider (SP) or audience.

An assertion typically includes: Issuer, identifying the IdP that created it; Subject, usually represented by a

Assertions are digitally signed by the IdP to provide integrity and authenticity, and may be encrypted for

Security considerations include managing trust via IdP metadata, setting appropriate assertion lifetimes, enforcing audience restrictions, protecting

NameID
that
conveys
the
user’s
identity;
Conditions,
including
NotBefore,
NotOnOrAfter,
and
an
AudienceRestriction
to
limit
where
the
assertion
can
be
used;
and
Statements
such
as
AuthnStatement
(authentication
event
and
context),
AttributeStatement
(user
attributes),
and,
less
commonly
in
practice,
AuthzDecisionStatement
(an
authorization
decision).
It
may
also
include
an
AuthnContext
describing
the
strength
of
the
authentication.
confidentiality
when
transmitted
to
the
SP.
In
browser-based
SSO,
the
IdP
sends
the
assertion
to
the
SP
via
a
SAML
response,
typically
using
HTTP
POST
or
a
similar
binding.
The
SP
verifies
the
signature,
checks
the
issuer
and
audience,
and
enforces
the
stated
conditions
before
granting
access.
against
replay
attacks,
and
ensuring
secure
transport.
SAML
assertions
are
a
foundational
element
of
SAML
2.0,
enabling
interoperable
cross-domain
authentication
in
many
enterprise
environments.