Sample SAML 2.0 IdP assertion
This section provides examples of the SAML 2.0 request and response.
Example of the SAML 2.0 request generated by Marketing Platform
Marketing Platform generates the SAML 2.0 request shown in this section, and encodes it using OpenSAML Base64 APIs. The request is compatible with any other standard Base64 decoder. The encoded request is posted to the IdP server.
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://example.com"
Destination="http://example.com"
ForceAuthn="false"
ID="_0ff13d123291170422ff5e945e9a209e25f3404916451a4aaf"
IsPassive="false"
IssueInstant="2015-09-02T14:10:24.376Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
IdP_ID
</saml2:Issuer>
<saml2p:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
SPNameQualifier="SERVICE_PROVIDER_ID"/>
<saml2p:RequestedAuthnContext
Comparison="exact">
<saml2:AuthnContextClassRef
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:
PasswordProtectedTransport
</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>
Example of the SAML 2.0 response generated by the IdP server
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://serviceprovider.com/location"
ID="id-wmpfMj-fMh0ihGYJ73rXPTEq7o8-"
InResponseTo="s2e211c5bfc0200fc48819f381f17d56ca0b5c780f"
IssueInstant="2015-09-02T14:10:24.376Z"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
Identity Provider
</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:
SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="idzQO7U5TzPLLL4dlqTqRt9VIOlYg-"
IssueInstant="2015-09-02T14:10:24.376Z"
Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:
nameid-format:entity">
Identity Provider
</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xmlexc-c14n#" />
<dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#
rsa-sha1" />
<dsig:Reference URI=
"#id-zQO7U5TzPLLL4dlqTqRt9VIOlYg-" />
<dsig:Transforms>
<dsig:Transform Algorithm=
"http://www.w3.org/2000/09/xmldsig#
enveloped-signature" />
<dsig:Transform Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>
XXX=
</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>xxx</dsig:SignatureValue>
</dsig:Signature>
<saml:Subject>
<saml:NameID Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:
transient"
NameQualifier="Test Identity Provider"
SPNameQualifier="TEST">
id-N2EIOvbwaVflUP-cKTzgv8dGYLg-
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo=
"s2e211c5bfc0200fc48819f381f17d56ca0b5c780f"
NotOnOrAfter="2015-09-02T14:10:24.376Z"
Recipient="http://serviceprovider.com/location" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2015-09-02T14:10:24.376Z"
NotOnOrAfter="2015-09-02T14:10:49.376Z">
<saml:AudienceRestriction>
<saml:Audience>TEST</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2015-09-02T14:10:24.376Z"
SessionIndex="id-1FTYalkjaVTWwHrFRkIRevHfAxk-"
SessionNotOnOrAfter="2015-09-02T14:10:38.376Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:
PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:x500=
"urn:oasis:names:tc:SAML:2.0:profiles:
attribute:X500"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute
Name="UserIdentifier"
NameFormat="urn:oasis:names:tc:SAML:2.0:
attrnameformat:basic">
<saml:AttributeValue xsi:type="xs:string">
user@example.com
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>