OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Assertion and EncryptedAssertion

This is a profiling question over and above base SAML. For one example, the “Kantara Initiative eGovernment Implementation Profile of SAML V2.0” states:     Message Content


The Web Browser SSO Profile allows responses to contain any number of assertions and statements. Identity Provider implementations MUST allow the number of <saml2:Assertion>, <saml2:AuthnStatement>, and <saml2:AttributeStatement> elements in the <saml2p:Response> message to be limited to one. In turn, Service Provider implementations MAY limit support to a single instance of those elements when processing <saml2p:Response> messages.


The entire profile is available from:



Bob Sunday

Cyber Authentication Initiative I Initiative d’authentification Cyber

Chief Information Officer Branch | Direction du dirigeant principal de l'information

Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du Canada

Ottawa, Canada K1A 0R5

Office: 613-941-4764

Email: robert.sunday@tbs-sct.gc.ca

Government of Canada | Gouvernement du Canada


From: Brent Putman [mailto:putmanb@georgetown.edu]
Sent: January 30, 2012 8:51 PM
To: saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] Assertion and EncryptedAssertion



On 1/30/12 8:16 PM, David Yu wrote:
> Dear SAML experts,
> I have a question regarding Assertion and EncryptedAssertion.
> I think I need either Assertion or EncryptedAssertion in the
> SAMLResponse but not both for it to work.
> Correct me if I am wrong.
> However, I did not see in the document that a response can only have
> exactly one Assertion or EncryptedAssertion.
> Is it defined in the schema?

Yes, it is defined. A SAML 2 ResponseType can contain 0 to unbounded Assertion and/or EncryptedAssertion elements. It is not limited to 1 and the multiple Assertions and EncryptedAssertions can appear in any order, since it's an unbounded choice.

The schema snippet:

>    <element name="Response" type="samlp:ResponseType"/>
>     <complexType name="ResponseType">
>         <complexContent>
>             <extension base="samlp:StatusResponseType">
>                 <choice minOccurs="0" maxOccurs="unbounded">
>                     <element ref="saml:Assertion"/>
>                     <element ref="saml:EncryptedAssertion"/>
>                 </choice>
>             </extension>
>         </complexContent>
>     </complexType>

To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]