[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Assertion and EncryptedAssertion
This is a profiling question over and above base SAML. For one example, the “Kantara Initiative eGovernment Implementation Profile of SAML V2.0” states:
220.127.116.11 Message Content
The Web Browser SSO Profile allows responses to contain any number of assertions and statements. Identity Provider implementations MUST allow the number of <saml2:Assertion>, <saml2:AuthnStatement>, and <saml2:AttributeStatement> elements in the <saml2p:Response> message to be limited to one. In turn, Service Provider implementations MAY limit support to a single instance of those elements when processing <saml2p:Response> messages.
The entire profile is available from:
Cyber Authentication Initiative I Initiative d’authentification Cyber
Chief Information Officer Branch | Direction du dirigeant principal de l'information
Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du Canada
Ottawa, Canada K1A 0R5
Government of Canada | Gouvernement du Canada
On 1/30/12 8:16 PM, David Yu wrote:
> Dear SAML experts,
> I have a question regarding Assertion and EncryptedAssertion.
> I think I need either Assertion or EncryptedAssertion in the
> SAMLResponse but not both for it to work.
> Correct me if I am wrong.
> However, I did not see in the document that a response can only have
> exactly one Assertion or EncryptedAssertion.
> Is it defined in the schema?
Yes, it is defined. A SAML 2 ResponseType can contain 0 to unbounded Assertion and/or EncryptedAssertion elements. It is not limited to 1 and the multiple Assertions and EncryptedAssertions can appear in any order, since it's an unbounded choice.
The schema snippet:
> <element name="Response" type="samlp:ResponseType"/>
> <complexType name="ResponseType">
> <extension base="samlp:StatusResponseType">
> <choice minOccurs="0" maxOccurs="unbounded">
> <element ref="saml:Assertion"/>
> <element ref="saml:EncryptedAssertion"/>
To unsubscribe, e-mail: email@example.com
For additional commands, e-mail: firstname.lastname@example.org