2.2.4.2.1.1 Authentication Statements
The following restrictions are placed on the SAML AuthenticationStatement used in the SAML assertion:
The SAML assertion MUST contain one and only one AuthenticationStatement.
An AuthenticationStatement MUST have a Subject element.
The Subject element, as specified in [SAMLCore] section 2.4.2.1, MUST conform to the guidance of section 2.2.4.2.1.3.
If an AttributeStatement is present, the Subject element in the AuthenticationStatement MUST match the Subject element in the AttributeStatement.
The AuthenticationMethod and AuthenticationInstant attributes MUST be specified.
The optional AuthenticationStatement elements SubjectLocality (specified in [SAMLCore] section 2.4.3.1) and AuthorityBinding (specified in [SAMLCore] section 2.4.3.2) MUST NOT be present in the security token.