Back
IAM
CDNetworks Documentation IAM User Guide Essential SAML Response Components

Essential SAML Response Components

Last update:2026-03-25 15:21:53

This article introduces the required elements that must be included in the SAML response during SSO.

Overview

In the SSO process based on SAML 2.0, after an enterprise user logs in at the IdP, the IdP will generate an authentication response containing a SAML assertion, which is then automatically forwarded to CDNetworks by the browser. This SAML assertion is used to verify the user’s login status and to parse the subject of the login. Therefore, the assertion must include the elements required by CDNetworks. Otherwise, the user’s identity cannot be confirmed, resulting in SSO failure.

SAML Response

<saml2p:Response>
    <saml2:Issuer>${entityID}</saml2:Issuer>
    <saml2p:Status>
        ...
    </saml2p:Status>
    <saml2:Assertion>
        <saml2:Issuer>${entityID}</saml2:Issuer>
        <ds:Signature>
            ...
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID>${NameID}</saml2:NameID>
            <saml2:SubjectConfirmation>
                ...
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions>
            <saml2:AudienceRestriction>
                <saml2:Audience>${Audience}</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement>
            ...
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/UserSessionName">
                <saml2:AttributeValue>${idpLoginName}</saml2:AttributeValue>         
            </saml2:Attribute>
       </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

Description of Elements in SAML Assertions

  • Common Elements of the SAML 2.0 Protocol

Element
Description
Issuer
The value of Issuer's ${entityID} must match the entityID in the metadata file you uploaded in the User SSO settings on the console.
Signature The SAML assertion must be signed to ensure that it has not been tampered with. The Signature and its included elements must contain the signature value, signature algorithm, and other required information.
Subject

The Subject must contain the following elements:

  • There must be one and only one NameID element, which serves as the identifier for a specific IAM user under the CDNetworks account.

When using Single Sign-On (SSO), it is necessary to identify the specific IAM user. Therefore, the SAML assertion generated by the enterprise IdP must include user information. By parsing the NameID element in the SAML assertion, you can configure IAM users to achieve user SSO.

  • If the user has enabled a secondary domain, the secondary domain will be used as the suffix of the NameID element. The value of the NameID element will be: <loginName>@<secondary domain>. For example, if the IAM username is abc and the secondary domain is cdn.com, then NameID: abc@cdn.com
  • If the user has not enabled a secondary domain, the value of the NameID element will be: <loginName>. For example, if the IAM user is abc, then NameID: abc


  • There must be one and only one SubjectConfirmation element, which includes a SubjectConfirmationData element. The SubjectConfirmationData must have the following two attributes:

NotOnOrAfter: Specifies the validity period of the SAML assertion.

Recipient: CDNetworks verifies that it is the intended recipient of the assertion by checking the value of this element. The value must be: class="nolink">https://login.cdnetworks.com/cas/login?client_name=${provider}.

Below is an example of a Subject element:

<Subject>
    <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">abc@cdn.com</NameID>       
        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">  
        <SubjectConfirmationData NotOnOrAfter="2023-11-23T18:57:29.367Z" Recipient="https://login.cdnetworks.com/cas/login?client_name=${provider}"/>   
    </SubjectConfirmation>
</Subject>
Conditions

In the Condition element, an AudienceRestriction element is required, which may include one or more Audience elements. However, at least one Audience element must have the following value: https://login.cdnetworks.com.

The following is an example of a Conditions element:

<saml2:Conditions>
    <saml2:AudienceRestriction>
        <saml2:Audience>https://login.cdnetworks.com</saml2:Audience>
    </saml2:AudienceRestriction>
</saml2:Conditions>

  • Custom Element Requirements

In the AttributeStatement element of a SAML assertion, the following Attribute elements can be included:

  1. An Attribute element with the Name property value set to: https://login.cdnetworks.com/SAML/Attributes/UserSessionName. This element is optional and only one is allowed.
    The value of the AttributeValue element included within this element will be used as part of the login user information displayed in the Action Trail logs on the console. This field is user-defined and must not exceed 32 characters in length. The format is:


<saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/UserSessionName">
     <saml2:AttributeValue>${idpLoginName}</saml2:AttributeValue>         
</saml2:Attribute>

If the response data does not contain an Attribute element with the Name property value of https://login.cdnetworks.com/SAML/Attributes/UserSessionName, the operator recorded in the Action Trail for console operations will default to the value of the NameID element in the Subject.

Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!

CDNetworks Inc., © 2025. 1840 Enterprise Way, Monrovia, CA 91016 – All rights reserved.