SAML 1.1 Token Generator

Examine has a SAML 1.1 token generator tool that can be used to hand-craft a SAML 1.1 Assertion. While this is usually not the way SAML assertions are generated or issued, it does provide an easy and quick way to create a SAML 1.1 token.

The SAML 1.1. Token Generator tool is accessible from the Tools->SAML menu tab. The main configuration view is as shown below:

Figure 9.20. SAML 1.1 Generator - Main configuration

SAML 1.1 Generator - Main configuration


Tip

The SAML token generator currently can only be used to generate a SAML 1.1 Assertion. If you would like to generate a SAML 2.0 Assertion, you can use the built-in STS that can issue SAML 2.0 tokens from a WS-Trust RequestSecurityToken SOAP request and use the STS Client tool to send this RST request to it. For more information refer to these sections: STS Service and STS Client

Important

For more information on the SAML 1.1, please refer to the specification set here: http://www.oasis-open.org/standards#samlv1.1

A SAML Assertion is a collection of information that includes one or more statements about a subject made by a SAML authority. In SAML 1.1, the Assertion can hold one or more statements that correpond to the subject. However, since the Subject information is common to the statements, this tool allows you to specify the Subject information once and have that applied to the different statements added to the assertion.

The main configuration fields are:

Assertion ID

This field corresponds to the SAML 1.1. AssertionID attribute. It represents the identifier for this Assertion and is of type xsd:ID

Issuer Name

This field corresponds to the SAML authority that created the assertion. The issuer name should be unambiguous to the intended relying parties.

Issue Instant

The time instant when this Assertion was created/issued.

Configuring the SAML Subject

Every type of SAML 1.1 Statement includes information about the Subject about whom the Statement is being made. Thus the Subject represents the core entity around which a SAML Assertion is focused on. Even though it is technically possible in SAML 1.1 to have statements about different subjects, in reality all statements within an Assertion are usually made about a single Subject (this is also the view taken in SAML 2.0 where the Subject information is separated from the Statement itself).

A SAML Subject consists of a <NameIdentifier/> and <SubjectConfirmation/>.

To configure the <NameIdentifier/> element, specify the value for the Name Qualifier field which represents the name of the Subject, and select the URI reference that indicates the format of the name qualifier. The possible values for the Format are:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

Specifying SAML Conditions

A SAML Assertion can have one or more Condition elements that specify certain restrictions / conditions on the use of the assertion by the relying party. To configure the Conditions for this Assertion, switch to the Conditions tab as shown below:

Figure 9.21. SAML 1.1 Generator - Conditions

SAML 1.1 Generator - Conditions


Not Before

Click on the calendar icon to bring up the monthly calendar with time and select the instant from which this Assertion will be valid

Not On or After

Click on the calendar icon to select the time upto which this Assertion will be valid

Do No Cache

Selecting this checkbox adds the <DoNotCacheCondition/> element to the Assertion

Add Audience Restriction

Click on this button to add one or more <AudienceRestrictionCondition> elements that specifies that the assertion is addressed to one or more specific audiences identified by <Audience> elements as shown below:

Figure 9.22. SAML 1.1 Generator - Audience Restriction Condtion

SAML 1.1 Generator - Audience Restriction Condtion


Click on the Audience link to add an Audience URI field where you can specify the URI of the intended audience

Adding SAML Advice

A SAML Assertion can contain an <Advice/> element that can contain some additional information that can help the relying party process the Assertion. To configure this information switch to the Advice tab.

Figure 9.23. SAML 1.1 Generator - Advice configuration

SAML 1.1 Generator - Advice configuration


The following actions are available to add different kinds of Advice to the Assertion:

Assertion

Click on this button to open a dialog where you can specify another SAML Assertion element contents that should be packaged as an Advice. Note that the SAML Assertion element XML that you paste here must be a valid SAML 1.1 Assertion element (i.e. in the correct SAML 1.1 namespace)

Assertion ID Reference

Click on this button to open a dialog where you can specify the value of the ID attribute of another SAML 1.1 Assertion

Any element

Click on this button to open a dialog where you can specify any valid XML element that should be added to the Advice element

Adding SAML Statements

Every SAML Assertion usually contains one or more of the following kinds of Statements about a Subject:

Attribute Statement
Authentication Statement
Authorization Decision Statement

To add one or more of the above Statements to the Assertion, switch to the Statements tab.

Attribute Statements

To add a new Attribute Statement, click on the Attribute link to add a new tab that represents the statement. Click on the Add Attribute button to open the Add Attribute dialog where you can specify the name, value and the namespace of the attribute as shown below:

Figure 9.24. SAML 1.1 Generator - Attribute Statement value

SAML 1.1 Generator - Attribute Statement value


Click on OK adds a new Attribute for the Attribute Statement as shown below:

Figure 9.25. SAML 1.1 Generator - Attribute Statement with Attribute

SAML 1.1 Generator - Attribute Statement with Attribute


Authentication Statement

To add one or more Authentication Statement's to the Assertion, click on the Authentication button to add a new tab that represents the Statement as shown below:

Figure 9.26. SAML 1.1 Generator - Authentication Statement

SAML 1.1 Generator - Authentication Statement


Each Authentication Statement consists of the Authentication method used to authenticate the Subject, the time at which the authentication took place and information about the locality of the Subject.

Authorization Decision Statement

To add an <AuthorizationDecisionStatement/> element to the Assertion, click on the Authorization Decision button and configure the request URI and decision information as shown below:

Figure 9.27. SAML 1.1 Generator - Authorization Decision Statement

SAML 1.1 Generator - Authorization Decision Statement


The Decision Type value can be one of:

  • Deny

  • Permit

  • Indeterminate

To add one or more <Action/> elements click on the Action button to select the Namespace of the Action and the Content for the Action (string data).

To add an <Evidence/> element that holds either a <AssertionIDReference/> or an <Assertion/> element, click on the Evidence button and select either the Assertion or Assertion ID Reference buttons to specify the respective values.

Signing and Generating the SAML Assertion

Once the SAML Assertion has been configured as detailed in the above sections, you can opt to sign the Assertion using a private key to provide integrity protection to the generated Assertion. To do click on the KeyStore button and select a private key alias from one of the listed keystores, and specify the private key password as shown below:

Figure 9.28. SAML 1.1 Generator - Signing the Assertion

SAML 1.1 Generator - Signing the Assertion


Note

If the private key password is the same as the keystore password, you can just select the Use store password button to use the keystore password itself. Since the password was specified when creating the keystore initially, you don't have to specify the same password again!

To finally generate the configured SAML 1.1 Assertion, click on the Generate button to generate the SAML 1.1 Assertion XML element which will be displayed in a separate dialog box as shown below. You can click on the Download button to save a copy of the XML to your local filesystem. Clicking on the Format button reformats the XML to be pretty-printed.

Caution

Once you sign the Assertion, clicking on Format will likely invalidate the content that was signed thus causing signature validation to fail (because of the addition of whitespace characters)

Figure 9.29. SAML 1.1 Generator - SAML Assertion generated

SAML 1.1 Generator - SAML Assertion generated