OpenText Cordys 10.6 documentation : Example of SAML Assertions

Example of SAML Assertions
This topic describes a simple example of a SAML assertions in a WS-Security soap header.


The following is an example of a SAML 2 assertion in the SOAP header.

<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
	<SOAP:Header>
		<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
			<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
				xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="8101AB8C-A44A-4324-403F-A23C4FA596E0" 
				IssueInstant="2014-01-28T08:55:55.489Z" Version="2.0">
				<saml2:Issuer>myIDP</saml2:Issuer>
				<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
					<ds:SignedInfo>
						<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
						<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
						<ds:Reference URI="#8101AB8C-A44A-4324-403F-A23C4FA596E0">
							<ds:Transforms>
								<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
								<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
									<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" 
										PrefixList="xs"/>
								</ds:Transform>
							</ds:Transforms>
							<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
							<ds:DigestValue>6qHuykVqZ/7SNaSyNh8Hw9kVyoI=</ds:DigestValue>
						</ds:Reference>
					</ds:SignedInfo>
					<ds:SignatureValue>
O3QlR+zmB0IfT8KmjRgAu4mSMuM2gssIo3H53V55FgsH4i9rlRQ1xb9LD1ncwuIv88XdS21Qw4g+KqglIvFhsHFhOwgqcAECSVY4BxzXNEjkDONUGVlk8M22fmPAYnsy+HQj6TTvasO8fF4L5pR+Ya7b47rTofwED4lIIFlGQec=</ds:SignatureValue>
					<ds:KeyInfo>
						<ds:X509Data>
							<ds:X509Certificate>
MIIB0zCCATygAwIBAgIEUudzojANBgkqhkiG9w0BAQUFADAnMSUwIwYDVQQDExxTZWxmIFNpZ25l
ZCBUZXN0IENlcnRpZmljYXRlMB4XDTE0MDEyODA4NTU1M1oXDTE0MDEyOTA4NTU1M1owITEfMB0G
A1UEAxMWVmFsaWQgVGVzdCBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
l1apB+4Ts9mmQL+lmpYQLtRDrYmZJMxOkcmrOapOekhSHwQgi+MgU3kNEf5cz5f3mioO+U6sXp+Q
di0k1ncim+nAPpbN5jzw1bE5UcKoLQyFljZFQNwRAcc4pIIt4TApxjoH+iWs0lpbxDZNyLxdr9LR
fdaBqVuAzyrfzXBdHdkCAwEAAaMSMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GB
ADNZPublEH4aeZYiT/eBYmyB75z0y9g7sGFph0uISYoyTV340Nl4f0oG8ZDU8hMwImD5AkENxadR
NNLcQ+CqsdYnXylmvrRI8kOY1rUwLm7H53b9rfixFZT3ofQ/AtlPvowGlNj4N7oEx5TIyyUA/VlM
PEx/YnJy8AA/FgdQIlbh</ds:X509Certificate>
						</ds:X509Data>
					</ds:KeyInfo>
				</ds:Signature>
				<saml2:Subject>
					<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" 
						NameQualifier="myNameIDQualifier">someuser@example.com</saml2:NameID>
					<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
						<saml2:SubjectConfirmationData NotOnOrAfter="2014-02-04T14:46:30Z"/>
					</saml2:SubjectConfirmation>
				</saml2:Subject>
				<saml2:Conditions NotBefore="2014-02-04T14:26:30Z" NotOnOrAfter="2014-02-04T14:46:30Z">
					<saml2:AudienceRestriction>
						<saml2:Audience>mySP</saml2:Audience>
					</saml2:AudienceRestriction>
				</saml2:Conditions>
				<saml2:AuthnStatement>
					<saml2:AuthnContext>
						<saml2:AuthnContextClassRef/>
					</saml2:AuthnContext>
				</saml2:AuthnStatement>
			</saml2:Assertion>
		</wsse:Security>
	</SOAP:Header>
	<SOAP:Body>
		<GetUserDetails xmlns="http://schemas.cordys.com/1.0/ldap"/>
	</SOAP:Body>
</SOAP:Envelope>

User Identity of SAML Assertions

The user identity retrieved from a SAML assertion is based on the NameID tag.

<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="myNameIDQualifier">someuser@example.com</saml2:NameID>

In the above example, the identity someuser@example.com is used as osidentity. The authentication framework uses the osidentity to find the authenticated user and then in combination with the organization, the organization user is resolved.

Related concepts

SAML