SAML · Schema
SAML 2.0 Assertion
Schema describing the JSON representation of a SAML 2.0 Assertion as defined in OASIS SAML 2.0 Core Section 2. An assertion is a package of information that supplies one or more statements made by a SAML authority (typically an Identity Provider).
AuthenticationAuthorizationFederationIdentity ManagementOpen StandardSecuritySingle Sign-OnSSOXML
Properties
| Name | Type | Description |
|---|---|---|
| Version | string | The SAML version of the assertion. MUST be '2.0'. |
| ID | string | A unique identifier for the assertion. |
| IssueInstant | string | The time instant of issuance in UTC. |
| Issuer | string | The SAML authority that created and is responsible for the assertion. Typically the entityID of the Identity Provider. |
| Subject | object | The principal that is the subject of the statements in the assertion. |
| Conditions | object | Conditions that MUST be evaluated when assessing the validity of the assertion. |
| AuthnStatement | array | Statements about the authentication event. |
| AttributeStatement | array | Statements containing attributes about the subject. |
JSON Schema
{
"$id": "saml-assertion.json",
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "SAML 2.0 Assertion",
"description": "Schema describing the JSON representation of a SAML 2.0 Assertion as defined in OASIS SAML 2.0 Core Section 2. An assertion is a package of information that supplies one or more statements made by a SAML authority (typically an Identity Provider).",
"type": "object",
"required": [
"Version",
"ID",
"IssueInstant",
"Issuer"
],
"properties": {
"Version": {
"type": "string",
"description": "The SAML version of the assertion. MUST be '2.0'.",
"const": "2.0"
},
"ID": {
"type": "string",
"description": "A unique identifier for the assertion."
},
"IssueInstant": {
"type": "string",
"format": "date-time",
"description": "The time instant of issuance in UTC."
},
"Issuer": {
"type": "string",
"description": "The SAML authority that created and is responsible for the assertion. Typically the entityID of the Identity Provider."
},
"Subject": {
"type": "object",
"description": "The principal that is the subject of the statements in the assertion.",
"properties": {
"NameID": {
"type": "object",
"description": "The name identifier for the subject.",
"properties": {
"Format": {
"type": "string",
"format": "uri",
"description": "The format of the name identifier."
},
"SPNameQualifier": {
"type": "string",
"description": "The Service Provider or affiliation that the identifier is scoped to."
},
"value": {
"type": "string",
"description": "The actual name identifier value."
}
}
},
"SubjectConfirmation": {
"type": "array",
"description": "Information allowing the subject to be confirmed.",
"items": {
"type": "object",
"properties": {
"Method": {
"type": "string",
"format": "uri",
"description": "The confirmation method URI.",
"examples": [
"urn:oasis:names:tc:SAML:2.0:cm:bearer"
]
},
"SubjectConfirmationData": {
"type": "object",
"properties": {
"InResponseTo": {
"type": "string",
"description": "The ID of the AuthnRequest this assertion is in response to."
},
"Recipient": {
"type": "string",
"format": "uri",
"description": "The URI of the entity to which the assertion is addressed."
},
"NotOnOrAfter": {
"type": "string",
"format": "date-time",
"description": "The time instant after which the subject can no longer be confirmed."
}
}
}
}
}
}
},
"additionalProperties": true
},
"Conditions": {
"type": "object",
"description": "Conditions that MUST be evaluated when assessing the validity of the assertion.",
"properties": {
"NotBefore": {
"type": "string",
"format": "date-time",
"description": "The assertion MUST NOT be used before this time instant."
},
"NotOnOrAfter": {
"type": "string",
"format": "date-time",
"description": "The assertion MUST NOT be used on or after this time instant."
},
"AudienceRestriction": {
"type": "array",
"description": "The set of audiences that the assertion is intended for.",
"items": {
"type": "object",
"properties": {
"Audience": {
"type": "array",
"description": "URIs identifying intended audiences.",
"items": {
"type": "string",
"format": "uri"
}
}
}
}
}
},
"additionalProperties": true
},
"AuthnStatement": {
"type": "array",
"description": "Statements about the authentication event.",
"items": {
"type": "object",
"required": [
"AuthnInstant",
"AuthnContext"
],
"properties": {
"AuthnInstant": {
"type": "string",
"format": "date-time",
"description": "The time at which the authentication took place."
},
"SessionIndex": {
"type": "string",
"description": "The index of the session at the Identity Provider."
},
"SessionNotOnOrAfter": {
"type": "string",
"format": "date-time",
"description": "The time at which the session expires."
},
"AuthnContext": {
"type": "object",
"description": "The context of the authentication event.",
"properties": {
"AuthnContextClassRef": {
"type": "string",
"format": "uri",
"description": "A URI reference identifying the authentication context class.",
"examples": [
"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
]
}
}
}
}
}
},
"AttributeStatement": {
"type": "array",
"description": "Statements containing attributes about the subject.",
"items": {
"type": "object",
"properties": {
"Attribute": {
"type": "array",
"description": "The attributes associated with the subject.",
"items": {
"type": "object",
"required": [
"Name"
],
"properties": {
"Name": {
"type": "string",
"description": "The name of the attribute."
},
"NameFormat": {
"type": "string",
"format": "uri",
"description": "The format of the attribute name.",
"examples": [
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
]
},
"AttributeValue": {
"type": "array",
"description": "The values of the attribute.",
"items": {
"type": "string"
}
}
}
}
}
}
}
}
},
"additionalProperties": true
}