Examine has a SAML 1.1 token generator tool that can be used to hand-craft a SAML 1.1 Assertion. While this is usually not the way SAML assertions are generated or issued, it does provide an easy and quick way to create a SAML 1.1 token.
The SAML 1.1. Token Generator tool is accessible from the Tools->SAML menu tab. The main configuration view is as shown below:
The SAML token generator currently can only be used to generate a SAML 1.1 Assertion. If you would like to generate a SAML 2.0 Assertion, you can use the built-in STS that can issue SAML 2.0 tokens from a WS-Trust RequestSecurityToken SOAP request and use the STS Client tool to send this RST request to it. For more information refer to these sections: STS Service and STS Client
For more information on the SAML 1.1, please refer to the specification set here: http://www.oasis-open.org/standards#samlv1.1
A SAML Assertion is a collection of information that includes one or more statements about a subject made by a SAML authority. In SAML 1.1, the Assertion can hold one or more statements that correpond to the subject. However, since the Subject information is common to the statements, this tool allows you to specify the Subject information once and have that applied to the different statements added to the assertion.
The main configuration fields are:
This field corresponds to the SAML 1.1.
AssertionID attribute. It represents the
identifier for this Assertion and is of type
xsd:ID
This field corresponds to the SAML authority that created the assertion. The issuer name should be unambiguous to the intended relying parties.
The time instant when this Assertion was created/issued.
Every type of SAML 1.1 Statement includes information about the Subject about whom the Statement is being made. Thus the Subject represents the core entity around which a SAML Assertion is focused on. Even though it is technically possible in SAML 1.1 to have statements about different subjects, in reality all statements within an Assertion are usually made about a single Subject (this is also the view taken in SAML 2.0 where the Subject information is separated from the Statement itself).
A SAML Subject consists of a <NameIdentifier/> and
<SubjectConfirmation/>.
To configure the <NameIdentifier/> element, specify the value
for the Name Qualifier field which represents the name of
the Subject, and select the URI reference that indicates the format of the name
qualifier. The possible values for the Format are:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
A SAML Assertion can have one or more Condition elements that specify certain restrictions / conditions on the use of the assertion by the relying party. To configure the Conditions for this Assertion, switch to the Conditions tab as shown below:
Click on the calendar icon to bring up the monthly calendar with time and select the instant from which this Assertion will be valid
Click on the calendar icon to select the time upto which this Assertion will be valid
Selecting this checkbox adds the
<DoNotCacheCondition/> element to the
Assertion
Click on this button to add one or more
<AudienceRestrictionCondition> elements that
specifies that the assertion is addressed to one or more
specific audiences identified by <Audience>
elements as shown below:
Click on the link to add an Audience URI field where you can specify the URI of the intended audience
A SAML Assertion can contain an <Advice/> element that can
contain some additional information that can help the relying party process the
Assertion. To configure this information switch to the
Advice tab.
The following actions are available to add different kinds of Advice to
the Assertion:
Click on this button to open a dialog where you can specify another SAML Assertion element contents that should be packaged as an Advice. Note that the SAML Assertion element XML that you paste here must be a valid SAML 1.1 Assertion element (i.e. in the correct SAML 1.1 namespace)
Click on this button to open a dialog where you can specify the value of the ID attribute of another SAML 1.1 Assertion
Click on this button to open a dialog where you can specify any valid XML element that should be added to the Advice element
Every SAML Assertion usually contains one or more of the following kinds of Statements about a Subject:
| Attribute Statement |
| Authentication Statement |
| Authorization Decision Statement |
To add one or more of the above Statements to the Assertion, switch to the Statements tab.
To add a new Attribute Statement, click on the link to add a new tab that represents the statement. Click on the button to open the Add Attribute dialog where you can specify the name, value and the namespace of the attribute as shown below:
Click on adds a new Attribute for the Attribute Statement as shown below:
To add one or more Authentication Statement's to the Assertion, click on the button to add a new tab that represents the Statement as shown below:
Each Authentication Statement consists of the Authentication method
used to authenticate the Subject, the time at which the authentication took
place and information about the locality of the Subject.
To add an <AuthorizationDecisionStatement/> element to the
Assertion, click on the button and
configure the request URI and decision information as shown below:
The Decision Type value can be one of:
Deny
Permit
Indeterminate
To add one or more <Action/> elements click on the
button to select the Namespace of the Action
and the Content for the Action (string data).
To add an <Evidence/> element that holds either a
<AssertionIDReference/> or an <Assertion/>
element, click on the button and select either
the or buttons to specify the respective values.
Once the SAML Assertion has been configured as detailed in the above sections, you can opt to sign the Assertion using a private key to provide integrity protection to the generated Assertion. To do click on the button and select a private key alias from one of the listed keystores, and specify the private key password as shown below:
If the private key password is the same as the keystore password, you can just select the button to use the keystore password itself. Since the password was specified when creating the keystore initially, you don't have to specify the same password again!
To finally generate the configured SAML 1.1 Assertion, click on the button to generate the SAML 1.1 Assertion XML element which will be displayed in a separate dialog box as shown below. You can click on the button to save a copy of the XML to your local filesystem. Clicking on the button reformats the XML to be pretty-printed.
Once you sign the Assertion, clicking on will likely invalidate the content that was signed thus causing signature validation to fail (because of the addition of whitespace characters)