Configuration Guides › Policy Server Configuration Guide › Authentication Schemes › WS‑Security Authentication › Choose a WS‑Security Token Type › SAML Assertion Token

SAML Assertion Token

The SAML assertion token specification (see OASIS Working Draft 14, Web Services Security: SAML Token Profile, July 12, 2004) extends the token-independent processing model defined by the core WS‑Security specification, allowing SAML assertions to be used to provide secure authentication data.

The SAML assertion includes the identity of the web service consumer (typically as its subject) and, optionally, other associated attributes. Additionally, the SAML token specification provides for the use of digital signatures to guarantee the integrity and authenticity of the SAML assertion, its issuer, and the subject of the assertion, using one of the following:

• The Enterprise certificate/public key of the assertion issuer (a trusted site where the request is authenticated and the SAML token generated) to sign the assertion and its contents.
• The Enterprise private key of the assertion subject (the organization being represented by the web service consumer making the request) or the assertion issuer to sign the SOAP document (depending on the subject confirmation method.

So, when using the WS‑Security authentication scheme to authenticate requests with SAML assertion tokens, SOA Security Manager validates the request, to ensure that the assertion comes from a trusted source, by authenticating the assertion subject and the assertion issuer. For example, in a multiple web service implementation using SAML tokens, SOA Security Manager would validate the assertion subject (the web service consumer that made the initial web service request) and the assertion issuer (a SOA Security Manager-protected authentication service configured to produce SAML WS‑Security tokens).

More information:

Token Subject and Issuer Confirmation and Validation