A SAML assertion is a signed statement from an identity provider that tells a service provider information about an authenticated user. It matters because service access decisions in federated systems often depend directly on trusted assertions from upstream identity systems.
What is SAML Assertion?
A SAML assertion may contain identity details, authentication context, attributes, and statements about the user. The receiving service provider trusts that assertion if it was issued and signed by a recognized identity provider under the right conditions.
What SAML Assertion Commonly Supports
Common uses include SSO sessions, attribute-based access decisions, enterprise federation, and transfer of identity claims between systems.
SAML Assertion vs. ID Token
A SAML assertion is typically XML-based and used in SAML federation. An ID token is usually JWT-based and common in OIDC flows.
Frequently Asked Questions
Why is a SAML assertion important?
Because it is the core trust artifact many SAML-based applications use to accept a federated login.
What is a common risk?
Poor validation of issuer, signature, audience, or timing can lead to serious federation weaknesses.
