Anatomy of SAML Messages

The SAML XML XSD Schemas are large and be a bit complex to read through to get a good overview of the content of a SAML Request and Response. I’ve tried to summarize the essence of the schemas applied to an AuthnRequest and a typical Response.

SAML 2.0 AuthnRequest (schema)

  • <samlp:AuthnRequest> samlp:AuthnRequestType extends samlp:RequestAbstractType

    Inherited from samlp:RequestAbstractType

    • @ID (required)
    • @Version (required)
    • @IssueInstant (required)
    • @Destination (optional)
    • @Consent (optional)

    Added as samlp:AuthnRequestType

    • @ForceAuthn (optional)
    • @IsPassive (optional)
    • @ProtocolBinding (optional)
    • @AssertionConsumerServiceIndex (optional)
    • @AssertionConsumerServiceURL (optional)
    • @AttributeConsumingServiceIndex (optional)
    • @ProviderName (optional)

    Inherited from samlp:RequestAbstractType

    • <saml:Issuer> (zero or more) saml:NameIDType extends string
      • @NameQualifier (optional)
      • @SPNameQualifier (optional)
      • @Format (optional)
      • @SPProvidedID (optional)
      • Content: string
    • <ds:Signature> (zero or more)
    • <samlp:Extensions> (zero or more) samlp:ExtensionsType, ##other namespace

    Added as samlp:AuthnRequestType

    • <saml:Subject> (zero or more) saml:SubjectType
      • <saml:NameID> saml:NameIDType (could also be either BaseID or EncryptedID) (optional)
        • @NameQualifier (optional)
        • @SPNameQualifier (optional)
        • @Format (optional)
        • @SPProvidedID (optional)
        • Content: string
      • <saml:SubjectConfirmation> (zero or more) saml:SubjectConfirmationType extends
        • @Method (required)
        • <saml:NameID> saml:NameIDType (could also be either BaseID or EncryptedID) (optional)
          • @NameQualifier (optional)
          • @SPNameQualifier (optional)
          • @Format (optional)
          • @SPProvidedID (optional)
          • Content: string
        • <saml:SubjectConfirmationData> saml:SubjectConfirmationDataType
          • @NotBefore (optional)
          • @NotOnOrAfter (optional)
          • @Recipient (optional)
          • @InResponseTo (optional)
          • @Address (optional)
          • Content: any element or attribute in ##other namespace
    • <samlp:NameIDPolicy> (zero or more) samlp:NameIDPolicyType
      • @Format (optional)
      • @SPNameQualifier (optional)
      • @AllowCreate (optional)
    • <saml:Conditions> (zero or more) saml:ConditionsType
      • @NotBefore (optional)
      • @NotOnOrAfter (optional)
      • <saml:AudienceRestriction> (zero or more) saml:AudienceRestrictionType
        • <saml:Audience> saml:Audience
          • Content: URI
      • <saml:OneTimeUse> (zero or more) saml:OneTimeUseType extends saml:ConditionAbstractType
      • <saml:ProxyRestriction> (zero or more) saml:ProxyRestrictionType extends saml:ConditionAbstractType
        • @Count (optional)
        • <saml:Audience> saml:Audience
          • Content: URI
      • Any element extending saml:ConditionAbstractType
    • <samlp:RequestedAuthnContext> (zero or more) samlp:RequestedAuthnContextType
      • @Comparison (optional)
      • <saml:AuthnContextClassRef> or
        • Content: any URL
      • <saml:AuthnContextDeclRef>
        • Content: any URL
    • <samlp:Scoping> (zero or more) samlp:ScopingType
      • @ProxyCount (optional)
      • <samlp:IDPList> (zero or more)
      • <samlp:RequesterID> (zero or more)

SAML 2.0 Response (schema)

  • <samlp:Response> samlp:ResponseType extends samlp:StatusResponseType

    Inherited from samlp:StatusResponseType

    • @ID (required)
    • @InResponseTo (optional)
    • @Version (required)
    • @IssueInstant (required)
    • @Destination (optional)
    • @Consent (optional)

    Inherited from samlp:RequestAbstractType

    • <saml:Issuer> (zero or more) saml:NameIDType extends string
      • @NameQualifier (optional)
      • @SPNameQualifier (optional)
      • @Format (optional)
      • @SPProvidedID (optional)
        • Content: string
    • <ds:Signature> (zero or more)
    • <samlp:Extensions> (zero or more) samlp:ExtensionsType, ##other namespace
    • <samlp:Status> (one)
      • <samlp:StatusCode> (one)
        • @Value (required)
        • <samlp:StatusCode> (zero or more) nested…
      • <samlp:StatusMessage> (zero or more)
        • Content: string
      • <samlp:StatusDetail> (zero or more)
        • Content: elements from ##other namespace

    Added as samlp:ResponseType

    • <saml:Assertion> (zero or more) saml:AssertionType (alternatively <saml:EncryptedAssertion>)
      • @ID (required)
      • @Version (required)
      • @IssueInstant (required)
      • <saml:Issuer> (zero or more) saml:NameIDType extends string
        • @NameQualifier (optional)
        • @SPNameQualifier (optional)
        • @Format (optional)
        • @SPProvidedID (optional)
          • Content: string
      • <ds:Signature> (zero or more)
      • <saml:Subject> (zero or more) saml:SubjectType
        • <saml:NameID> saml:NameIDType (could also be either BaseID or EncryptedID) (optional)
          • @NameQualifier (optional)
          • @SPNameQualifier (optional)
          • @Format (optional)
          • @SPProvidedID (optional)
          • Content: string
        • <saml:SubjectConfirmation> (zero or more) saml:SubjectConfirmationType extends
          • @Method (required)
          • <saml:NameID> saml:NameIDType (could also be either BaseID or EncryptedID) (optional)
            • @NameQualifier (optional)
            • @SPNameQualifier (optional)
            • @Format (optional)
            • @SPProvidedID (optional)
            • Content: string
          • <saml:SubjectConfirmationData> saml:SubjectConfirmationDataType
            • @NotBefore (optional)
            • @NotOnOrAfter (optional)
            • @Recipient (optional)
            • @InResponseTo (optional)
            • @Address (optional)
            • Content: any element or attribute in ##other namespace
      • <saml:Conditions> (zero or more) saml:ConditionsType
        • @NotBefore (optional)
        • @NotOnOrAfter (optional)
        • <saml:AudienceRestriction> (zero or more) saml:AudienceRestrictionType
          • <saml:Audience> saml:Audience
            • Content: URI
        • <saml:OneTimeUse> (zero or more) saml:OneTimeUseType extends saml:ConditionAbstractType
        • <saml:ProxyRestriction> (zero or more) saml:ProxyRestrictionType extends saml:ConditionAbstractType
          • @Count (optional)
          • <saml:Audience> saml:Audience
            • Content: URI
        • Any element extending saml:ConditionAbstractType
      • <saml:Advice> (zero or more)
      • <saml:AuthnStatement> (zero or more) saml:AuthnStatementType extends saml:StatementAbstractType
        • @AuthnInstant (required)
        • @SessionIndex (optional)
        • @SessionNotOnOrAfter (optional)
        • <saml:SubjectLocality> (zero or more) saml:SubjectLocalityType
          • @Address (optional)
          • @DNSName (optional)
        • <saml:AuthnContext> (zero or more) saml:AuthnContextType
          • <saml:AuthnContextClassRef> (optional)
          • <saml:AuthnContextDecl> (zero or more)
          • <saml:AuthnContextDeclRef> (zero or more)
          • <saml:AuthenticatingAuthority> (zero or more)
          • AuthnContext MUST contain at least one of AuthnContextClassRef, AuthnContextDecl and AuthnContextDeclRef.
      • <saml:AttributeStatement> (zero or more) saml:AttributeStatementType
        • <saml:Attribute> (zero or more) saml:AttributeType alternatively (saml:EncryptedAttribute)
          • @Name (required)
          • @NameFormat (optional)
          • @FriendlyName (optional)
          • <saml:AttributeValue> (zero or more)

Leave a Reply