(Registered 15 December 2004)
(References updated 6 February 2006)

The IESG has approved a request to register the
"application/samlassertion+xml" MIME media type in the standards tree. This
media type is a product of the Organization for the Advancement of
Structured Information Systems (OASIS). 

The IESG contact persons are Ted Hardie and Scott Hollenbeck.


MIME media type name: application

MIME subtype name: samlassertion+xml

Required parameters: none

Optional parameters: charset
Same as charset parameter of application/xml [RFC3023].

Encoding considerations:
Same as for application/xml [RFC3023].

Security considerations:
Per their specification, samlassertion+xml typed objects do not
contain executable content. However, SAML assertions are XML-based
objects [XML]. As such, they have all of the general security
considerations presented in section 10 of [RFC3023], as well as
additional ones, since they are explicit security objects. For
example, samlassertion+xml typed objects will often contain data
that may identify or pertain to a natural person, and may be used as
a basis for sessions and access control decisions.

To counter potential issues, samlassertion+xml typed objects contain
data that should be signed appropriately by the sender. Any such
signature must be verified by the recipient of the data - both as a
valid signature, and as being the signature of the sender. Issuers
of samlassertion+xml objects containing SAMLv2 assertions may also
encrypt all, or portions of, the assertions [SAMLv2Core].

In addition, SAML profiles and protocol bindings specify use of
secure channels as appropriate.

[SAMLv2.0] incorporates various privacy-protection techniques in its
design. For example: opaque handles, specific to interactions
between specific system entities, are assigned to subjects. The
handles are mappable to wider-context identifiers (e.g. email
addresses, account identifiers, etc) by only the specific parties.

For a more detailed discussion of SAML security considerations and
specific security-related design techniques, please refer to the
SAML specifications listed in the below bibliography. The
specifications containing security-specific information have been
explicitly listed for each version of SAML.

Interoperability considerations:
SAML assertions are explicitly versioned. Relying parties should
ensure that they observe assertion version information and behave
accordingly. See "Chapter 4 SAML Versioning" in [SAMLv1Core],
[SAMLv11Core], or [SAMLv2Core], as appropriate.

Published specification:
[SAMLv2Bind] explicitly specifies use of the
application/samlassertion+xml MIME media type. However, it is
conceivable that non-SAMLv2 assertions (i.e. SAMLv1 and/or SAMLv1.1)
might in practice be conveyed using SAMLv2 bindings.

Applications which use this media type:
Potentially any application implementing SAML, as well as those
applications implementing specifications based on SAML, e.g. those
available from the Liberty Alliance [LAP].

Additional information:

Magic number(s):
In general, the same as for application/xml [RFC3023]. In
particular, the XML root element of the returned object will be
<saml:Assertion>, where "saml" maps to a version-specific SAML
assertion namespace, as defined by the appropriate SAML "core"
specification (see bibliography). In the case of SAMLv2.0, the
root element of the returned object may be either
<saml:Assertion> or <saml:EncryptedAssertion>, where "saml"
maps to the SAMLv2.0 assertion namespace:
urn:oasis:names:tc:SAML:2.0:assertion

File extension(s): none
Macintosh File Type Code(s): none

Person & email address to contact for further information:
This registration is made on behalf of the OASIS Security Services
Technical Committee (SSTC) Please refer to the SSTC website for
current information on committee chairperson(s) and their contact
addresses: http://www.oasis-open.org/committees/security/. Committee
members should submit comments and potential errata to the
securityservices at lists.oasis-open.org list. Others should submit
them by filling out the web form located at
http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=secur

Additionally, the SAML developer community email distribution list,
saml-dev at lists.oasis-open.org, may be employed to discuss usage of
the application/samlassertion+xml MIME media type. The "saml-dev"
mailing list is publicly archived here:
http://lists.oasis-open.org/archives/saml-dev/. To post to the
"saml-dev" mailing list, one must subscribe to it. To subscribe,
send a message with the single word "subscribe" in the message body,
to: saml-dev-request at lists.oasis-open.org.

Intended usage: COMMON

Author/Change controller:
The SAML specification sets are a work product of the OASIS Security
Services Technical Committee (SSTC). OASIS and the SSTC have change
control over the SAML specification sets.

Bibliography

[LAP] "Liberty Alliance Project". See
http://www.projectliberty.org/

[OASIS] "Organization for the Advancement of Structured
Information Systems". See http://www.oasis-open.org/

[RFC3023] M. Murata, S. St.Laurent, D. Kohn, "XML Media Types",
IETF Request for Comments 3023, January 2001. Available
as http://www.rfc-editor.org/rfc/rfc3023.txt

[SAMLv1.0] OASIS Security Services Technical Committee, "Security
Assertion Markup Language (SAML) Version 1.0
Specification Set". OASIS Standard 200205, November
2002. Available as
http://www.oasis-open.org/committees/download.php/2290/
oasis-sstc-saml-1.0.zip

[SAMLv1Bind] Prateek Mishra et al., "Bindings and Profiles for the
OASIS Security Assertion Markup Language (SAML)",
OASIS, November 2002. Document ID
oasis-sstc-saml-bindings-1.0. See
http://www.oasis-open.org/committees/security/

[SAMLv1Core] Phillip Hallam-Baker et al., "Assertions and Protocol
for the OASIS Security Assertion Markup Language
(SAML)", OASIS, November 2002. Document ID
oasis-sstc-saml-core-1.0. See
http://www.oasis-open.org/committees/security/

[SAMLv1Sec] Chris McLaren et al., "Security Considerations for the
OASIS Security Assertion Markup Language (SAML)",
OASIS, November 2002. Document ID
oasis-sstc-saml-sec-consider-1.0. See
http://www.oasis-open.org/committees/security/

[SAMLv1.1] OASIS Security Services Technical Committee, "Security
Assertion Markup Language (SAML) Version 1.1
Specification Set". OASIS Standard 200308, August
2003. Available as
http://www.oasis-open.org/committees/download.php/3400/
oasis-sstc-saml-1.1-pdf-xsd.zip

[SAMLv11Bind] E. Maler et al. "Bindings and Profiles for the OASIS
Security Assertion Markup Language (SAML)". OASIS,
September 2003. Document ID
oasis-sstc-saml-bindings-1.1.
http://www.oasis-open.org/committees/security/

[SAMLv11Core] E. Maler et al. "Assertions and Protocol for the OASIS
Security Assertion Markup Language (SAML)". OASIS,
September 2003. Document ID oasis-sstc-saml-core-1.1.
http://www.oasis-open.org/committees/security/

[SAMLv11Sec] E. Maler et al. "Security Considerations for the OASIS
Security Assertion Markup Language (SAML)". OASIS,
September 2003. Document ID
oasis-sstc-saml-sec-consider-1.1.
http://www.oasis-open.org/committees/security/

[SAMLv2.0] OASIS Security Services Technical Committee, "Security
Assertion Markup Language (SAML) Version 2.0 Specification Set".
OASIS Standard, 15-Mar-2005. Available at:
http://docs.oasis-open.org/security/saml/v2.0/saml-2.0-os.zip

[SAMLv2Bind] S. Cantor et al., "Bindings for the OASIS Security
Assertion Markup Language (SAML) V2.0". OASIS, March 2005.
Document ID saml-bindings-2.0-os. Available at:
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

[SAMLv2Core] S. Cantor et al., "Assertions and Protocols for the
OASIS Security Assertion Markup Language (SAML) V2.0". OASIS,
March 2005. Document ID saml-core-2.0-os. Available at:
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

[SAMLv2Prof] S. Cantor et al., "Profiles for the OASIS Security
Assertion Markup Language (SAML) V2.0". OASIS, March 2005.
Document ID saml-profiles-2.0-os. Available at:
http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

[SAMLv2Sec] F. Hirsch et al., "Security and Privacy Considerations
for the OASIS Security Assertion Markup Language (SAML) V2.0".
OASIS, March 2005. Document ID saml-sec-consider-2.0-os.
Available at:
http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf

[SSTC] "OASIS Security Services Technical Committee". See
http://www.oasis-open.org/committees/security/

[XML] Bray, T., Paoli, J., Sperberg-McQueen, C.M. and E. Maler,
"Extensible Markup Language (XML) 1.0 (Second
Edition)", World Wide Web Consortium Recommendation
REC-xml, October 2000, Available as
http://www.w3.org/TR/REC-xml