2.2.1.6 Assertion Element

The <Assertion> element is specified in [SAMLCore] section 2.3.2. An <Assertion> element defines a SAML token.

[SAMLCore] and [SAMLToken1.1] specify how to parse and validate <Assertion> elements.

If a SAML token is referenced as specified in [SAMLToken1.1] sections 3.4 (ignoring subsections) and 3.4.1, a key identifier reference conforming to section 2.2.1.1 MUST be used.

If a SAML token is present in a <Security> element, a <Signature> element conforming to section 2.2.1.7 MUST be present in the same <Security> element. The <KeyInfo> element of that signature MUST reference the SAML token.

This document overrides the following specifications:

• Direct and embedded references as specified in [SAMLToken1.1] section 3.4 are not used.

• The ValueType "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID" and the TokenType "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" specified in [SAMLToken1.1] section 3.4 MUST NOT be used.

• The NotBefore and NotOnOrAfter attributes as specified in [SAMLCore] section 2.3.2.1.1 MAY be omitted.

• The MajorVersion and MinorVersion attributes as specified in [SAMLCore] section 2.3.2 MUST be present and MUST both have a value of "1".

• A <Signature> element as specified in [SAMLCore] section 5.4 and conforming to section 2.2.1.7 MUST be present.

A <SubjectConfirmation> element conforming to section 2.2.1.6.1 MUST be present.