A SAML assertion can contain one or more statements about the characteristics (identity, attributes) of a user, as well as their authorizations. This assertion is created by the respective identity provider, i.e. the responsible user database, using XML as the markup language. Every assertion also receives a digital signature, which must be verified by the accessing a service provider. This guarantees the integrity and authenticity of the assertion, which is also called a SAML token in its signed form. After successful verification, the service provider analyzes the actual content, and then makes a decision on what kind of access is granted to the user.
The following three types of statements in SAML assertions are specified in SAML 2.0:
- Authentication statements: The identity provider informs the application that the user has been authenticated using authentication statements. This type of statement also provides information in an assertion about when the authentication took place and which method was used.
- Attribute statements: Attribute statements are attributes that are linked to the respective user, and can be communicated to the application using the corresponding SAML token.
- Authorization decision statements: When authorization decision statements are included in a SAML assertion, the user has either been granted access to specific resources or denied access to specific resources.