Essential SAML Response Components
Last update:2026-03-25 15:25:35
This article introduces you to the elements that must be included in the SAML response for SSO.
Summary
In the SAML2.0-based SSO process, when an enterprise user logs in at the IdP, the IdP will calculates an authentication response containing the SAML assertion, and the Browser will automatically forward it to CDNetworks. This SAML assertion will be used to confirm the user login status and parse the login principal from it. Therefore, the assertion must contain the elements required by CDNetworks, otherwise the identity of the logged-in user will not be confirmed, resulting in SSO failure.
SAML response
<saml2p:Response
<saml2:Issuer>${entityID}</saml2:Issuer>
<ds:Signature>
…
</ds:Signature>
<saml2p:Status>
…
</saml2p:Status>
<saml2:Assertion>
<saml2:Issuer>${entityID}</saml2:Issuer>
<ds:Signature>
…
</ds:Signature>
<saml2:Subject>
<saml2:NameID>${NameID}</saml2:NameID>
<saml2:SubjectConfirmation>
…
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions>
<saml2:AudienceRestriction>
<saml2:Audience>${Audience}</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement>
…
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/LoginName" >
<saml2:AttributeValue>wsc:iam::${parentLoginName}:login-name/${loginName},wsc:iam::${parentLoginName}:saml-provider/${provider}</saml2:AttributeValue>
<saml2:AttributeValue>wsc:iam::${parentLoginName}:login-name/${loginName2},wsc:iam::${parentLoginName}:saml-provider/${provider1}</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/RoleSessionName">
<saml2:AttributeValue>${NameID}</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Description of elements in a SAML assertion
| Element | Description |
| Issuer | The ${entityID} value of the Issuer must match the entityID in the IdP metadata file you uploaded in the identity provider entity created in the console. |
| Signature | SAML assertions must be signed to ensure no tampering, and the Signature and its contained elements must contain information such as signature values and signature algorithms. |
Subject | The Subject must contain the following elements: 1) There is only one NameID element. The value of NameID is usually the identity of the SAML assertion subject in the IdP (it can be the internal account name or account ID of the IdP). CDNetworks Science&Technology does not rely on the value of this element to confirm the login subject 2) There is only one SubjectConfirmation element, which contains one SubjectConfirmationData element. SubjectConfirmationData must have the following two other attributes:
The following is an example of a Subject element: <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="_adafdaxfrpqkrf4cpnkfslpgxf76qeqmlwtag" NotOnOrAfter="2021-04-29T18:57:29.367Z" Recipient="https://login.cdnetworks.com/cas/login?client_name=mockClient"/> </saml2:SubjectConfirmation> </saml2:Subject> |
Conditions | In the Condition element, it must contain one AudienceRestrict element, which can contain one or more Audience elements, but one Audience element must have a value of https://login.cdnetworks.com The following is an example of a Conditions element:: <saml2:Conditions> <saml2:AudienceRestriction> <saml2:Audience>https://login.cdnetworks.com</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> |
In the AttributeStatement element of the SAML assertion, the following Attribute elements must be included:
- The value of the Name attribute is: the Attribute element of https://login.cdnetworks.com/SAML/Attributes/LoginName, this element is mandatory, and there can be more than one. The value of the AttributeValue element contained in it represents which user account of CDNetworks the Current IdP user is allowed to use to access. The format of the value is a combination of user Description and identity provider Description, On by English commas.
<saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/LoginName" >
<saml2:AttributeValue>wsc:iam::${parentLoginName}:login-name/${loginName1},wsc:iam::${parentLoginName}:saml-provider/${provider1}</saml2:AttributeValue>
<saml2:AttributeValue>wsc:iam::${parentLoginName}:login-name/${loginName2},wsc:iam::${parentLoginName}:saml-provider/${provider1}</saml2:AttributeValue>
</saml2:Attribute>
In this property, where:
•${parentLoginName}: Replace with your corresponding Master account in CDNetworks;
•${loginName}: Replace with the CDNetworks user account used by your Current IdP user to access CDNetworks;
•${provider}: Replace with the Name of the SAML identity provider you created on CDNetworks console. The provider must be consistent across multiple data entries.
2) The value of the Name attribute is: the Attribute element of https://login.cdnetworks.com/SAML/Attributes/RoleSessionName. This element is mandatory and there can only be one.
The value of the AttributeValue element contained in it will be used as part of the login user information to be displayed on the console and in the operations audit log. This field is user- Definition and cannot exceed 32 characters). Its format is:
<saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/RoleSessionName">
<saml2:AttributeValue>${NameID}</saml2:AttributeValue>
</saml2:Attribute>
The following is an Example of the RoleSessionName Attribute element, where the value of ${NameID} must be consistent with the NameID value in the Subject element.
<saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/RoleSessionName">
<saml2:AttributeValue>admin</saml2:AttributeValue>
</saml2:Attribute>
Follow operations: