pp108 : Example of SAML Assertions

Example of SAML Assertions
This topic describes a simple example of a SAML assertions in a WS-Security soap header.


The following is an example of a SAML 2 assertion in the SOAP header.

<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
	<SOAP:Header>
		<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
			<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
				xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="8101AB8C-A44A-4324-403F-A23C4FA596E0" 
				IssueInstant="2014-01-28T08:55:55.489Z" Version="2.0">
				<saml2:Issuer>myIDP</saml2:Issuer>
				<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
					<ds:SignedInfo>
						<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
						<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
						<ds:Reference URI="#8101AB8C-A44A-4324-403F-A23C4FA596E0">
							<ds:Transforms>
								<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
								<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
									<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" 
										PrefixList="xs"/>
								</ds:Transform>
							</ds:Transforms>
							<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
							<ds:DigestValue>6qHuykVqZ/7SNaSyNh8Hw9kVyoI=</ds:DigestValue>
						</ds:Reference>
					</ds:SignedInfo>
					<ds:SignatureValue>
O3QlR+zmB0IfT8KmjRgAu4mSMuM2gssIo3H53V55FgsH4i9rlRQ1xb9LD1ncwuIv88XdS21Qw4g+KqglIvFhsHFhOwgqcAECSVY4BxzXNEjkDONUGVlk8M22fmPAYnsy+HQj6TTvasO8fF4L5pR+Ya7b47rTofwED4lIIFlGQec=</ds:SignatureValue>
					<ds:KeyInfo>
						<ds:X509Data>
							<ds:X509Certificate>
MIIB0zCCATygAwIBAgIEUudzojANBgkqhkiG9w0BAQUFADAnMSUwIwYDVQQDExxTZWxmIFNpZ25l
ZCBUZXN0IENlcnRpZmljYXRlMB4XDTE0MDEyODA4NTU1M1oXDTE0MDEyOTA4NTU1M1owITEfMB0G
A1UEAxMWVmFsaWQgVGVzdCBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
l1apB+4Ts9mmQL+lmpYQLtRDrYmZJMxOkcmrOapOekhSHwQgi+MgU3kNEf5cz5f3mioO+U6sXp+Q
di0k1ncim+nAPpbN5jzw1bE5UcKoLQyFljZFQNwRAcc4pIIt4TApxjoH+iWs0lpbxDZNyLxdr9LR
fdaBqVuAzyrfzXBdHdkCAwEAAaMSMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GB
ADNZPublEH4aeZYiT/eBYmyB75z0y9g7sGFph0uISYoyTV340Nl4f0oG8ZDU8hMwImD5AkENxadR
NNLcQ+CqsdYnXylmvrRI8kOY1rUwLm7H53b9rfixFZT3ofQ/AtlPvowGlNj4N7oEx5TIyyUA/VlM
PEx/YnJy8AA/FgdQIlbh</ds:X509Certificate>
						</ds:X509Data>
					</ds:KeyInfo>
				</ds:Signature>
				<saml2:Subject>
					<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" 
						NameQualifier="myNameIDQualifier">[email protected]</saml2:NameID>
					<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
						<saml2:SubjectConfirmationData NotOnOrAfter="2014-02-04T14:46:30Z"/>
					</saml2:SubjectConfirmation>
				</saml2:Subject>
				<saml2:Conditions NotBefore="2014-02-04T14:26:30Z" NotOnOrAfter="2014-02-04T14:46:30Z">
					<saml2:AudienceRestriction>
						<saml2:Audience>mySP</saml2:Audience>
					</saml2:AudienceRestriction>
				</saml2:Conditions>
				<saml2:AuthnStatement>
					<saml2:AuthnContext>
						<saml2:AuthnContextClassRef/>
					</saml2:AuthnContext>
				</saml2:AuthnStatement>
			</saml2:Assertion>
		</wsse:Security>
	</SOAP:Header>
	<SOAP:Body>
		<GetUserDetails xmlns="http://schemas.cordys.com/1.0/ldap"/>
	</SOAP:Body>
</SOAP:Envelope>

User Identity of SAML Assertions

The user identity retrieved from a SAML assertion is based on the NameID tag.

<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="myNameIDQualifier">[email protected]</saml2:NameID>

In the above example, the identity [email protected] is used as osidentity. The authentication framework uses the osidentity to find the authenticated user and then in combination with the organization, the organization user is resolved.

Related concepts

SAML