SAML Elements in Assertions
---------------------------
The following list provides details for designers on the correct handling
of Security Assertion Markup Language (SAML) elements in assertions:
1. When using the ``SubjectConfirmation`` element in a SAML assertion,
the ``NotOnOrAfter`` condition shall be used.
#. When using the ``Conditions`` element in a SAML assertion,
both the ``NotBefore`` and ``NotOnOrAfter`` elements or the
``OneTimeUse`` element shall be used.
#. If a ``OneTimeUse`` element is used in an assertion, there shall only
be one used in the ``Conditions`` element portion of an assertion.
The |VOSS Automate| system will inspect SAML messages and raise error
messages if the elements do not follow the rules for SAML assertions
specified above.
The list below shows the respective error numbers and messages
as they will show in the logs, as well as example error SAML snippets:
1. NOTONORAFTER_SUBJECTCONFIRMATION_ERROR (14010)
"SubjectConfirmation is used but there is no NotOnOrAfter attribute"
::
2. a) CONDITION_NOT_BOTH (14012)
"NotBefore and NotOnOrAfter should be present when using either in Condition"
::
http://functional.fedrampfail.plain/sso/metadata/
2. b) CONDITION_ONETIMEUSE (14013)
"OneTimeUse element should be present when neither NotBefore nor NotOnOrAfter
attributes in Condition"
::
http://functional.fedrampfail.plain/sso/metadata/
3. CONDITION_MULTIPLE_ONETIMEUSE (14014)
"Only one OneTimeUse element should be present in Condition"
::
http://functional.fedrampfail.plain/sso/metadata/
.. |VOSS Automate| replace:: VOSS Automate
.. |Unified CM| replace:: Unified CM