Information in SAML Assertion while performing SAML Authentication

Information in SAML Assertion while performing SAML Authentication

book

Article ID: CTX206867

calendar_today

Updated On:

Description

What Does SAML Assertion Tell us

Assertion :
 
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://saml.citrix.local/cgi/samlauth" Destination="https://idp.citrix.local:8443/idp/profile/SAML2/POST/SSO" ID="9def49e914aea3df1f2619c05a01bbc7" IssueInstant="2012-07-10T06:43:19Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">aaa.citrix.local</saml:Issuer>
   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <Reference URI="">
            <Transforms>
               <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>uydzIdX+Wyi9IepcvUahoBuwGKE=</DigestValue>
         </Reference>
      </SignedInfo>
      <SignatureValue>izSrTma4L7+RNTGBDYSH99OfL75HAGsjRbHooDYI51v6OPVEoXlVN+bLhX+BuT+iHDhJdwC6Vl45ZhpCHUt1U9dxOSxBK5RoRbKCTNuoiipJZL4Zn7xOCJwSaHh73tWYuSMWazVGc98K+RNZD1xBZ2c693ZO0PceGS6kvAo9NxU=</SignatureValue>
      <KeyInfo>
         <X509Data>
            <X509Certificate>MIICiDCCAfECCQCe1liLldVYQ…..</X509Certificate>
         </X509Data>
      </KeyInfo>
   </Signature>
</samlp:AuthnRequest>
 

What does this assertion tell us?
 

  • Consumer is https://saml.citrix.local/cgi/samlauth
  • IdP is https://idp.citrix.local:8443/idp/profile/SAML2/POST/SSO
  • Unique ID for each assertion
  • When it is issued (SAML is sensititve to time, as Kerberos is, to avoid replays)
  • HTTP-POST method being used
  • Version 2.0
  • Saml issuer, who created this assertion?
  • Digest in SHA-1 Hash
  • Signature is basically the hash of the message (sha-1) encrypted with public key of the IDP, so only the IDP can verify the message integrity
  • Public certificate of the saml issuer (in this case: aaa.citrix.local)

Powered by Wolken Software