Sample SAML Assertion Document

The key protocol element in a SAML authentication transaction is passed as an XML document containing an stanza. This is sent from your identity provider to our Assertion Consumer Service, in response to a request from a user. The document asserts-makes a promise-that the user mentioned in it has convinced your identity provider that they are who they claim to be. It also asserts that they are authorized by you to use Glance services.

This is a sample of an document. This particular sample was generated by PingIdentity.com to fulfill an identity-provider originated sign-on request.

In ordinary use, we never need to look at these XML documents. But, during initial provisioning and troubleshooting, it can be helpful to examine one or two of them.

Notice the attribute items near the end of this example. Look at the <saml:Attribute ... Name="email"> item. In this example, the user’s email address is used uniquely to identify the user. You need to tell us the name of the attribute your identity provider uses to identify your users.

<?xml version="1.0" encoding="utf-8"?>
<samlp:Response Destination="https://glance.net/account/GetLoginKey.aspx?groupid=REDACTED&amp;sso=1&amp;redirect=/account/AccountSummary.aspx" IssueInstant="2015-08-19T13:38:56.815Z" ID="IDfbd0dc46e7b5fbdfa268d7cb85d236a9aa4433f62849cfbe04" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://pingone.com/idp/glance</saml:Issuer>
<samlp:Status>
   <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <saml:Assertion Version="2.0" IssueInstant="2015-08-19T13:38:56.815Z"
ID="ID000fa42f1c6a83b665e3a9f2da1fc119fdbec8454da9b91104" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
   <saml:Issuer>https://pingone.com/idp/glance</saml:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
     <ds:Reference URI="#ID000fa42f1c6a83b665e3a9f2da1fc119fdbec8454da9b91104">
       <ds:Transforms>
           <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
           </ds:Transforms>
           <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
           <ds:DigestValue>hpM9BlriHwQhAL+GXUQwKb+klLM=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
     <ds:SignatureValue> FlCG--- BASE64 data ----- h/Q== </ds:SignatureValue>
     <ds:KeyInfo>
      <ds:X509Data>
             <ds:X509Certificate> MIIDjC----- BASE64 data -----rrPJNRX1 </ds:X509Certificate>
</ds:X509Data>
     <ds:KeyValue>
     <ds:RSAKeyValue>
            <ds:Modulus> jNU6f----- BASE64 data -----0SaOLw== </ds:Modulus>
            <ds:Exponent>AQAB</ds:Exponent>
     </ds:RSAKeyValue>
     </ds:KeyValue>
     </ds:KeyInfo>
   </ds:Signature>
   <saml:Subject>
   <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">olliejones@glance.net</saml:NameID>
   <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData NotOnOrAfter="2015-08-19T13:53:56.816Z" Recipient="https://glance.net/account/GetLoginKey.aspx?groupid=REDACTED&amp;sso=1&amp;redirect=/account/AccountSummary.aspx" />
    </saml:SubjectConfirmation>
   </saml:Subject>
   <saml:Conditions NotOnOrAfter="2015-08-19T13:53:56.816Z"
NotBefore="2015-08-19T13:33:56.816Z">
     <saml:AudienceRestriction>
     <saml:Audience>glance.net/sp/1</saml:Audience>
    </saml:AudienceRestriction>
   </saml:Conditions>
  <saml:AuthnStatement AuthnInstant="2015-08-19T13:38:56.816Z"
SessionIndex="ID8f2fb817934a9f8eae344621adca9315e6e03c13b787f8a304">
    <saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>

<saml:AuthenticatingAuthority>https://pingone.com/idp/glance</saml:AuthenticatingAuthority>
    </saml:AuthnContext>
   </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
     <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="SirGlancealot">
    <saml:AttributeValue xsi:type="xs:string"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">GLANCE</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" Name="email">
    <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">sir.glance.a.lot@glance.net</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="PingOne.idpid">
    <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">970ead4d-9011-47c6-bcf2-0c6d01f6a342</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="PingOne.AuthenticatingAuthority">
    <saml:AttributeValue xsi:type="xs:string"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">https://pingone.com/idp/glance</saml:AttributeValue>
    </saml:Attribute>
   </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>