What is a SAML assertion?

Assertion is a security assertion markup language （SAML 2.0） One of the most powerful features , Enable small and medium-sized enterprises to adopt single sign on （SSO）, It balances the convenience of user experience with Web Fine user permission control of application . These are crucial for industries with strict data security regulatory requirements . This article will introduce the basic concept of assertion 、 Operation principle 、 Application method , And the specific statements contained in the assertion .

01

What is? SAML Assertion ？

SAML Assertions are identity providers （IdP） And service providers （SP） Messages exchanged between , Can secretly identify the user's identity 、 What relevant information exists and what is authorized to access . This information serves both as a security condition （ Such as the source of the assertion ）, It also ensures the validity of the assertion . Assertions are written using XML Pattern , This pattern provides a canvas to specify specific conditions , These conditions are in SAML After the request is verified successfully, it will be sent by communication , and SAML The response will be sent instead of the user name and password of the network share .

02

XML file

Assert with XML Record in the form of a document , And in IdP and SP Standardized communication transmission between .XML The composition of the document contains patterns for assertions and protocols .

Writing assertions is a coding activity that requires testing and quality assurance . So , Enterprises should maintain the composition mode of assertions throughout the life cycle of single sign on system . Enterprises that do not support custom development can use pre built connectors .

03

SAML Type of assertion statement

Statements in assertions can be broken down into specific functions .SAML 2.0 Open standards specify three types of statements ：

• Authentication statement

• Attribute statement

• Authorization decision statement

These statements are encapsulated in SAML In assertion , Manage for identity and access （IAM） The launch and governance of provides great flexibility . Here are the specific descriptions of the three statements .

1） Authentication statement

The authentication statement is generated by the user authentication system , It contains relevant information generated by authentication decision and log information such as timestamp .

2） Attribute statement

SAML It can convey information about users , Including the Department 、 Whether it belongs to... With access privileges “VIP” Group , And basic contact information such as email . Attribute statements can be created in custom applications , And map back to predefined values .

3） Authorization decision statement

The authorization decision statement provides detailed information such as the user's operation authority , The operation permissions here include access to specific web pages or application security zones . for instance , Enterprises should restrict access to employees' private information . It also makes SAML Unique functions of the protocol ,OIDC And other authentication protocols do not support this function .

04

How to use assertion statements ？

An assertion contains one or more statements of different types , It depends on whether the configuration purpose is only authentication or authentication plus authorization . In addition, there will be user-defined statements . Assertion statements allow the system to interact across domains , Support the creation of single sign on for websites  SSO And attribute based user authentication , And through the simple object access protocol （SOAP） Share security information in messages to protect Web service .

Ning Dun is built-in SSO Application Library , Simplify application add . Ning Dun single sign on  SSO The system not only supports SAML 2.0、OIDC、OAuth 2.0 And other international standardization agreements , At the same time, self-study Easy SSO agreement , Satisfy the enterprise B/S application 、C/S application 、 No interface application 、 Single sign on connection that cannot be modified or self-developed , Standardized product delivery , The fastest 1 Deploy within days .