2.2.4.2 Security Token Format

As stated, the security token contained in the RequestedSecurityToken element, specified in section 2.2.4.1, MUST be formatted as an Assertion element, as specified in [SAMLCore] section 2.3.2, with the restrictions detailed in this section. For more specifications, [SAMLASchema] describes the full XML schema of a SAML assertion and describes all of the element names used in this section, unless otherwise specified. For processing semantics on SAML security tokens that do not conform to this message specification, see section 3.1.1.1.

The following restrictions are placed on the SAML assertion, as specified in [SAMLCore] section 2.3.2:

• The returned SAML assertion MUST use the schema specified in [SAMLASchema], corresponding to the namespace urn:oasis:names:tc:SAML:1.0:assertion.

• The MajorVersion attribute of the Assertion element MUST be 1, and the MinorVersion attribute of the Assertion element MUST be 1. These attributes are as specified in [SAMLCore] section 2.3.2.

• The returned SAML assertion MUST specify the AssertionId, Issuer, and IssueInstant attributes on the Assertion element. These attributes are as specified in [SAMLCore] section 2.3.2.

• The assertion MUST contain a Conditions element, which MUST specify the NotBefore and NotOnOrAfter attributes. These attributes are as specified in [SAMLCore] section 2.3.2.1.1.

• The Conditions element MUST contain an AudienceRestrictionCondition element that restricts the audience to the resource IP/STS. This element is specified in [SAMLCore] section 2.3.2.1.3.

• The AudienceRestrictionCondition element MUST contain one and only one Audience element that specifies the URI of the relying party.

• The Advice element, specified in [SAMLCore] section 2.3.2.2, MAY<25> be present in assertions conforming to this specification.