Authentication Statements

The following restrictions are placed on the SAML AuthenticationStatement used in the SAML assertion:

  • The SAML assertion MUST contain one and only one AuthenticationStatement.

  • An AuthenticationStatement MUST have a Subject element.

  • The Subject element, as specified in [SAMLCore] section, MUST conform to the guidance of section

  • If an AttributeStatement is present, the Subject element in the AuthenticationStatement MUST match the Subject element in the AttributeStatement.

  • The AuthenticationMethod and AuthenticationInstant attributes MUST be specified.

  • The optional AuthenticationStatement elements SubjectLocality (specified in [SAMLCore] section and AuthorityBinding (specified in [SAMLCore] section MUST NOT be present in the security token.