Sample SAML 2.0 IdP assertion

This section provides examples of the SAML 2.0 request and response.

Example of the SAML 2.0 request generated by Marketing Platform

Marketing Platform generates the SAML 2.0 request shown in this section, and encodes it using OpenSAML Base64 APIs. The request is compatible with any other standard Base64 decoder. The encoded request is posted to the IdP server.


<saml2p:AuthnRequest 
       xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
       AssertionConsumerServiceURL="http://example.com" 
       Destination="http://example.com" 
       ForceAuthn="false" 
       ID="_0ff13d123291170422ff5e945e9a209e25f3404916451a4aaf" 
       IsPassive="false" 
       IssueInstant="2015-09-02T14:10:24.376Z" 
       ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
       Version="2.0">
              <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
                     IdP_ID
              </saml2:Issuer>
              <saml2p:NameIDPolicy 
                     AllowCreate="true" 
                     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" 
                     SPNameQualifier="SERVICE_PROVIDER_ID"/>
              <saml2p:RequestedAuthnContext 
                     Comparison="exact">
                     <saml2:AuthnContextClassRef 
                            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
                            urn:oasis:names:tc:SAML:2.0:ac:classes:
                            PasswordProtectedTransport
                     </saml2:AuthnContextClassRef>
              </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>

Example of the SAML 2.0 response generated by the IdP server


<samlp:Response
       xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
       Destination="http://serviceprovider.com/location" 
              ID="id-wmpfMj-fMh0ihGYJ73rXPTEq7o8-"
       InResponseTo="s2e211c5bfc0200fc48819f381f17d56ca0b5c780f" 
       IssueInstant="2015-09-02T14:10:24.376Z"
       Version="2.0">
       <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
              Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
              Identity Provider
       </saml:Issuer>
       <samlp:Status>
              <samlp:StatusCode Value="urn:oasis:names:tc:
                     SAML:2.0:status:Success" />
       </samlp:Status>
       <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
              ID="idzQO7U5TzPLLL4dlqTqRt9VIOlYg-" 
              IssueInstant="2015-09-02T14:10:24.376Z"
              Version="2.0">
              <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:
                     nameid-format:entity">
                            Identity Provider
              </saml:Issuer>
              <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                     <dsig:SignedInfo>
                            <dsig:CanonicalizationMethod
                               Algorithm="http://www.w3.org/2001/10/xmlexc-c14n#" />
                            <dsig:SignatureMethod
                               Algorithm="http://www.w3.org/2000/09/xmldsig#
                                          rsa-sha1" />
                            <dsig:Reference URI=
                                   "#id-zQO7U5TzPLLL4dlqTqRt9VIOlYg-" />
                                  <dsig:Transforms>
                                      <dsig:Transform Algorithm=
                                         "http://www.w3.org/2000/09/xmldsig#
                                                 enveloped-signature" />
                                      <dsig:Transform Algorithm=
                                      "http://www.w3.org/2001/10/xml-exc-c14n#" />
                                  </dsig:Transforms>
                                  <dsig:DigestMethod Algorithm=
                                      "http://www.w3.org/2000/09/xmldsig#sha1" />
                                  <dsig:DigestValue>
                                          XXX=
                                  </dsig:DigestValue>
                            </dsig:Reference>
                     </dsig:SignedInfo>
                     <dsig:SignatureValue>xxx</dsig:SignatureValue>
              </dsig:Signature>
              <saml:Subject>
                     <saml:NameID Format=
                            "urn:oasis:names:tc:SAML:2.0:nameid-format:
                                   transient"
                            NameQualifier="Test Identity Provider" 
                            SPNameQualifier="TEST">
                            id-N2EIOvbwaVflUP-cKTzgv8dGYLg-
                     </saml:NameID>
                     <saml:SubjectConfirmation 
                            Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                            <saml:SubjectConfirmationData
                              InResponseTo=
                                   "s2e211c5bfc0200fc48819f381f17d56ca0b5c780f"
                              NotOnOrAfter="2015-09-02T14:10:24.376Z" 				
                              Recipient="http://serviceprovider.com/location" />
                     </saml:SubjectConfirmation>
                     </saml:Subject>
              <saml:Conditions 
                     NotBefore="2015-09-02T14:10:24.376Z"
                     NotOnOrAfter="2015-09-02T14:10:49.376Z">
                     <saml:AudienceRestriction>
                            <saml:Audience>TEST</saml:Audience>
                     </saml:AudienceRestriction>
              </saml:Conditions>
              <saml:AuthnStatement 
                     AuthnInstant="2015-09-02T14:10:24.376Z"
                     SessionIndex="id-1FTYalkjaVTWwHrFRkIRevHfAxk-"
                     SessionNotOnOrAfter="2015-09-02T14:10:38.376Z">
                     <saml:AuthnContext>
                            <saml:AuthnContextClassRef>
                            urn:oasis:names:tc:SAML:2.0:ac:classes:
                             PasswordProtectedTransport
                            </saml:AuthnContextClassRef> 
                     </saml:AuthnContext>
              </saml:AuthnStatement>
              <saml:AttributeStatement xmlns:x500=
                  "urn:oasis:names:tc:SAML:2.0:profiles:
                  attribute:X500"
                  xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                  <saml:Attribute 
                         Name="UserIdentifier"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:
                                attrnameformat:basic">
                        <saml:AttributeValue xsi:type="xs:string">
                                user@example.com
                         </saml:AttributeValue>
                  </saml:Attribute>
              </saml:AttributeStatement>
       </saml:Assertion>
</samlp:Response>