SAML Assertion
Plain HTML
<html
xml:lang="en">
<body
onload="document.forms[0].submit()">
<form
action="https://aai-demo.switch.ch/Shibboleth.sso/SAML2/POST"
method="post">
<div>
<input
type="hidden"
name="RelayState"
value="ss:mem:23e3a3b1268acd89dc226bb1ce0d0c6ba7ecf773"/>
<input
type="hidden"
name="SAMLResponse"
value="
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWxwO8
...
vbj0iW1scDVlc+PC9zYW1scRGLsTgiPz4KPlc3U+"/>
</div>
</form>
</body>
</html>
SAML response encrypted (Base64 decoded)
<samlp:response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
destination="https://aai-demo.switch.ch/Shibboleth.sso/SAML2/POST"
id="_f3323e32c6cf83b1996fbf703beebe61"
inresponseto="_f2f27516ec08af29501c749629b119d3"
issueinstant="2008-02-27T12:20:19.256Z"
version="2.0">
<saml:issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://aai-demo-idp.switch.ch/idp/shibboleth
</saml:issuer>
<ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:signedinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:canonicalizationmethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:signaturemethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
uri="#_f3323e32c6cf83b1996fbf703beebe61">
<ds:transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:transform xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:transform xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:inclusivenamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
prefixlist="
ds
saml
samlp
xenc"/>
</ds:transform>
</ds:transforms>
<ds:digestmethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:digestvalue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
W/4ffn8dtDoWa0ZVk0RY9VsYHn8=
<!-- The Hash over the signature value -->
</ds:digestvalue>
</ds:reference>
</ds:signedinfo>
<ds:signaturevalue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
YiLWdmVJUL9OYxFdEcI+MUlu1WixOXeR6HDNxTBEgplmQ0bnKD8/YAmtjzM1BPceLvFjb7/FnGXW
...
<!-- The signature value -->
zSSKvGzMHsu2jAvua7QulhpIP88VI9D2B7ZvKg==
</ds:signaturevalue>
<ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:x509data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:x509certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
MIIETDCCAzSgAwIBAgICAKQwDQYJKoZIhvcNAQEFBQAwdTELMAkGA1UEBhMCQ0gxDzANBgNVBAcT
...
<!-- The certificate, which signed the message -->
8fIN2ZZr14dNQSohA1C18D47+9m2
</ds:x509certificate>
</ds:x509data>
</ds:keyinfo>
</ds:signature>
<samlp:status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:statuscode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:status>
<saml:encryptedassertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:encrypteddata xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
id="_12bc564f5615db1caa1ed9cec18644fc"
type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:encryptionmethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:encryptedkey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
id="_01573d8cf066e3294c9701be13f5278c">
<xenc:encryptionmethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:digestmethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</xenc:encryptionmethod>
<ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:x509data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:x509certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
MIIEwzCCA6ugAwIBAgILAQAAAAABGB3PGicwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCQkUx
...
<!-- The certificate, for which the symetric key is encrypted -->
TlHWg9fT28Ryoi5ix8+VIVE5wsRlGRWMca0=
</ds:x509certificate>
</ds:x509data>
</ds:keyinfo>
<xenc:cipherdata xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:ciphervalue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
nyjhj8mP5bf79fUj0Pd9oDkHdaOe4Zz0XHoPfUxTCaVaXhbOlPJIy6E/leWN40fFdzR1OmeFhRec
...
<!-- The encrypted symetric key, which allows to decrypt the message -->
2J7T4BHptXGsrxGRcNxPdHaJAN4SB+S3ZXhdWA==
</xenc:ciphervalue>
</xenc:cipherdata>
</xenc:encryptedkey>
</ds:keyinfo>
<xenc:cipherdata xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:ciphervalue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
UHtcpb7a9KZpFst9CoPSAMWO9dLeJTUpQzgLtKXra3iGe2LURnjq+LC1Mh4nByRpyEe2RgqyOJz1
...
<!-- The encrypted data -->
ew==
</xenc:ciphervalue>
</xenc:cipherdata>
</xenc:encrypteddata>
</saml:encryptedassertion>
</samlp:response>
SAML response decrypted (Base64 decoded)
<saml:assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
id="_7a7344b64600d4405da04fcb9e27f5f1"
issueinstant="2008-02-27T12:20:19.256Z"
version="2.0">
<saml:issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://aai-demo-idp.switch.ch/idp/shibboleth
</saml:issuer>
<saml:subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:nameid xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
_e7b68a04488f715cda642fbdd90099f5
</saml:nameid>
<saml:subjectconfirmation xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:subjectconfirmationdata xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
address="130.59.4.134"
inresponseto="_f2f27516ec08af29501c749629b119d3"
notonorafter="2008-02-27T12:25:19.256Z"
recipient="https://aai-demo.switch.ch/Shibboleth.sso/SAML2/POST"/>
</saml:subjectconfirmation>
</saml:subject>
<saml:conditions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
notbefore="2008-02-27T12:20:19.256Z"
notonorafter="2008-02-27T12:25:19.256Z">
<saml:audiencerestriction xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:audience xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://aai-demo.switch.ch/shibboleth
</saml:audience>
</saml:audiencerestriction>
</saml:conditions>
<saml:authnstatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
authninstant="2008-02-27T12:20:06.991Z"
sessionindex="4m2ETlKYtvbNEmBzVNo3UHLuKSdo3HqTUqAmeZiar94="
sessionnotonorafter="2008-02-27T12:50:06.991Z">
<saml:subjectlocality xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
address="130.59.4.134"/>
<saml:authncontext xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:authncontextdeclref xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:authncontextdeclref>
</saml:authncontext>
</saml:authnstatement>
<saml:attributestatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
friendlyname="givenName"
name="urn:oid:2.5.4.42"
nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:attributevalue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xsi:type="xs:string">
Demouser
</saml:attributevalue>
</saml:attribute>
<!-- More attributes here -->
<saml:attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
friendlyname="surname"
name="urn:oid:2.5.4.4"
nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:attributevalue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xsi:type="xs:string">
SWITCHaai
</saml:attributevalue>
</saml:attribute>
</saml:attributestatement>
</saml:assertion>