Skip to content
IAM Day by Day

SAML Assertions

The Structured Statement of Truth

Section titled “The Structured Statement of Truth”

A SAML Assertion is the core artifact of a SAML federation. It is a highly-structured, XML-based “Statement of Truth” issued by an Identity Provider (IdP) that asserts a user’s identity, their attributes, and their authorization status to a Service Provider (SP).

ASSERTION

Federation Artifact
Core Mission
Identity Encapsulation. Providing a cryptographically signed document that securely mirrors a user's session and attributes across domain boundaries.
Like a Notarized Letter: A trusted authority (the IdP) writes a letter stating exactly who you are and what you are allowed to do. They sign it with a physical seal (digital signature) that you present to the recipient (the SP).
Enterprise SSO / RBAC / Multi-Domain Access

The Anatomy of a SAML Assertion

Section titled “The Anatomy of a SAML Assertion”

A complete SAML Assertion typically contains three distinct types of statements within a secure XML wrapper.

1

Authentication Statement

Declares that the user was authenticated at a specific time using a specific method (e.g., Password or MFA).

2

Attribute Statement

Supplies verified data about the user, such as their email, full name, department, or group memberships.

3

Authorization Statement

Optional. Provides explicit decisions on whether the user is permitted to access specific resources.

Validation Matrix: Securing the Assertion

Section titled “Validation Matrix: Securing the Assertion”

Because SAML relies on client-side POSTing of assertions, the SP must strictly validate the XML document.

ComponentValidation ActionWhy?
Digital SignatureVerify <ds:Signature> against IdP Public KeyProves the document hasn’t been modified and came from the IdP.
Conditions (NotBefore)Ensure current time is after this valuePrevents “look-ahead” attacks using pre-generated assertions.
Conditions (NotOnOrAfter)Ensure current time is before this valueProtects against the use of ancient, leaked assertions.
AudienceRestrictionMatch against your SP Entity IDEnsures the assertion was specifically intended for your application.

XML Structure Reference

Section titled “XML Structure Reference”
<saml:Assertion ID="_unique_id" IssueInstant="2024-05-20T12:00:00Z" ...>
  <saml:Issuer>https://idp.company.com/</saml:Issuer>
  <ds:Signature>...</ds:Signature>
  <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
      user@company.com
    </saml:NameID>
  </saml:Subject>
  <saml:Conditions NotBefore="..." NotOnOrAfter="...">
    <saml:AudienceRestriction>
      <saml:Audience>https://sp.yourapp.com/</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AttributeStatement>
    <saml:Attribute Name="Role"> <saml:AttributeValue>Manager</saml:AttributeValue> </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

Technical Deep-Dives

Section titled “Technical Deep-Dives”

Master the advanced implementation nuances of SAML 2.0.

HTTP Bindings

Understanding how Assertions are transported via POST and Redirect.

Signature & Encryption

Securing the entire SAML Response vs individual Assertions.