SAML Elements in Assertions

The following list provides details for designers on the correct handling of Security Assertion Markup Language (SAML) elements in assertions:

  1. When using the SubjectConfirmation element in a SAML assertion, the NotOnOrAfter condition shall be used.
  2. When using the Conditions element in a SAML assertion, both the NotBefore and NotOnOrAfter elements or the OneTimeUse element shall be used.
  3. If a OneTimeUse element is used in an assertion, there shall only be one used in the Conditions element portion of an assertion.

The VOSS-4-UC system will inspect SAML messages and raise error messages if the elements do not follow the rules for SAML assertions specified above.

The list below shows the respective error numbers and messages as they will show in the logs, as well as example error SAML snippets:

  1. NOTONORAFTER_SUBJECTCONFIRMATION_ERROR (14010)

    “SubjectConfirmation is used but there is no NotOnOrAfter attribute”

    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData/>
    </saml2:SubjectConfirmation>
    
    1. CONDITION_NOT_BOTH (14012)

    “NotBefore and NotOnOrAfter should be present when using either in Condition”

    <saml2:Conditions NotOnOrAfter="2015-11-20T12:32:23.645Z">
        <saml2:AudienceRestriction>
            <saml2:Audience>http://functional.fedrampfail.plain/sso/metadata/</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    
    1. CONDITION_ONETIMEUSE (14013)

    “OneTimeUse element should be present when neither NotBefore nor NotOnOrAfter attributes in Condition”

    <saml2:Conditions>
        <saml2:AudienceRestriction>
            <saml2:Audience>http://functional.fedrampfail.plain/sso/metadata/</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    
  1. CONDITION_MULTIPLE_ONETIMEUSE (14014)

    “Only one OneTimeUse element should be present in Condition”

    <saml2:Conditions>
        <saml2:AudienceRestriction>
            <saml2:Audience>http://functional.fedrampfail.plain/sso/metadata/</saml2:Audience>
        </saml2:AudienceRestriction>
        <saml2:OneTimeUse/>
        <saml2:OneTimeUse/>
    </saml2:Conditions>