SAML assertions are a declaration of facts about a principal. For example, an assertion can be made that a particular client was granted update privileges to a specific database resource at a certain time. Assertions are constructed in XML based on the SAML assertion schema. Assertions are built from the user’s session information and optional attribute information using the siteAttributeMapper class. For more information, see SiteAttributeMapper and PartnerSiteAttributeMapper Interfaces.
One assertion can contain many different statements made by the authority.
The SAML specification provides for different types of assertions:
An authentication assertion declares that the specified subject has been authenticated by a particular means at a particular time. This information is declared in an AuthenticationStatement element. In Access Manager, the Authentication Service is the authentication authority. The following code example illustrates a sample authentication assertion.
<?xml version="1.0" encoding="UTF-8" ?> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="0" AssertionID="random-182726" Issuer="sunserver.example.com" IssueInstant="2001-11-05T17:23:00GMT-02:00"> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2001-11-05T17:22:00GMT-02:00"> <saml:Subject> <saml:NameIdentifier NameQualifier="example.com">John Doe </saml:NameIdentifier> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> |
An attribute assertion declares that the specified subject is associated with the specified attribute. This information is declared in an AttributeStatement element. The identity data store that is networked with Access Manager is the attribute authority.
An authorization decision assertion declares that the specified subject’s request for access to a specified resource has been granted or denied. This information is declared in an AuthorizationDecisionStatement element. In Access Manager, the Policy Service is the authorization authority.