2.2.4.2.1.1 Authentication Statements

  • Article

The following restrictions are placed on the SAML AuthenticationStatement used in the SAML assertion:

  • The SAML assertion MUST contain one and only one AuthenticationStatement.

  • An AuthenticationStatement MUST have a Subject element.

  • The Subject element, as specified in [SAMLCore] section 2.4.2.1, MUST conform to the guidance of section 2.2.4.2.1.3.

  • If an AttributeStatement is present, the Subject element in the AuthenticationStatement MUST match the Subject element in the AttributeStatement.

  • The AuthenticationMethod and AuthenticationInstant attributes MUST be specified.

  • The optional AuthenticationStatement elements SubjectLocality (specified in [SAMLCore] section 2.4.3.1) and AuthorityBinding (specified in [SAMLCore] section 2.4.3.2) MUST NOT be present in the security token.