SAML assertions are a declaration of facts about a principal. For example, an assertion can be made that a particular client was granted update privileges to a specific database resource at a certain time. Assertions are constructed in XML based on the SAML assertion schema. Assertions are built from the user’s session information and optional attribute information using the siteAttributeMapper class. For more information, see PartnerSiteAttributeMapper Interface.
One assertion can contain many different statements made by the authority.
The SAML specification provides for different types of assertions:
An authentication assertion declares that the specified subject has been authenticated by a particular means at a particular time. This information is declared within an AuthenticationStatement XML tag. In Access Manager, the Authentication Service is the authentication authority. The following code example illustrates a SAML assertion with an AuthenticationStatement.
<?xml version="1.0" encoding="UTF-8" ?> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="0" AssertionID="random-182726" Issuer="sunserver.example.com" IssueInstant="2001-11-05T17:23:00GMT-02:00"> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2001-11-05T17:22:00GMT-02:00"> <saml:Subject> <saml:NameIdentifier NameQualifier="example.com">John Doe </saml:NameIdentifier> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> |
An attribute assertion declares that the specified subject is associated with the specified attribute. This information is declared within an AttributeStatement XML tag. The identity data store that is networked with Access Manager is the attribute authority. The following code example illustrates a SAML assertion with an AttributeStatement.
<?xml version="1.0" encoding="UTF-8" ?> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="0" AssertionID="random-182726" Issuer="sunserver.example.com" IssueInstant="2001-11-05T17:23:00GMT-02:00"> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier NameQualifier="dc=example,dc=com"> uid=amadmin,dc=example,dc=com</saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="sn" AttributeNamespace="urn:sun:fm:samples:saml:query"> <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:1.1:assertion">amadmin</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="cn" AttributeNamespace="urn:sun:fm:samples:saml:query"> <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:1.1:assertion">amadmin</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> |
An authorization decision assertion declares that the specified subject’s request for access to a specified resource has been granted or denied. This information is declared within an AuthorizationDecisionStatement XML tag. In Access Manager, the Policy Service is the authorization authority.
The OASIS Security Services (SAML) Technical Committee has recently frozen this query in favor of using the eXtensible Access Control Markup Language (XACML). Future versions of Access Manager will reflect this.