4.2 SAML 1.1 Assertion Extension

  • Article

Following is a SAML assertion fragment that illustrates the message syntax of the SAML 1.1 Assertion Extension elements in the advice element, as specified in section 2.2.3.

 <saml:Advice xmlns:adfs="urn:microsoft:federation">
   <adfs:WindowsIdentifiers>
 AAAAAAEAAAABBAAAAAAABRUAAAAVU+0xvWJxlc9CDm4GAAAA9AEAAAYCAAAHAgAACAIAA
 AECAAAAAgAA
   </adfs:WindowsIdentifiers>
   <adfs:CookieInfoHash>
     K6GNTL15/jljype53+PFRAiOfek=
   </adfs:CookieInfoHash>
   <adfs:WindowsUserIdentifier>
     S-1-5-21-837636885-2507236029-1846428367-500
   </adfs:WindowsUserIdentifier>
   <adfs:WindowsUserName>
     ADFSVM-A\Administrator
   </adfs:WindowsUserName>
 </saml:Advice>

The raw octets of the WindowsIdentifiers (section 3.1.5.2.1.5) binary structure, after base64 decoding are as follows.

 00 00 00 00 01 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 15 53 ED 
 31 BD 62 71 95 CF 42 0E 6E 06 00 00 00 F4 01 00 00 06 02 00 00 07 02 
 00 00 08 02 00 00 01 02 00 00 00 02 00 00

The octet stream is structured as follows (see section 2.2.3.2).

 00 00 00 00  WindowsIdentifierFlags = 0
              TryLocalAccount = 0
              NoUserSid = 0
 01 00 00 00  PackedSidsCount = 1 (0x00000001)
                PackedSids1
                  DomainSid
 01                 Revision = 1 (0x01)
    04                SubAuthorityCount = 4 (0x04)
       00 00          IdentifierAuthority[0..1] = {0, 0, … 
 00 00 00 05          IdentifierAuthority[2..5] =  0, 0, 0, 5
                      (0x05)}
 15 00 00 00          SubAuthority1 = 21 (0x00000015)
 15 53 ED 31          SubAuthority2 = 837636885 (0x31ED5315)
 BD 62 71 95          SubAuthority3 = 2507236029 (0x957162BD) 
 CF 42 0E 6E          SubAuthority4 = 1846428367 (0x6E0E42CF)
 06 00 00 00        RidCount = 6 (0x00000006)
 F4 01 00 00        Rid1 = 500 (0x000001F4)
 06 02 00 00        Rid2 = 518 (0x00000206)
 07 02 00 00        Rid3 = 519 (0x00000207)
 08 02 00 00        Rid4 = 520 (0x00000208)
 01 02 00 00        Rid5 = 513 (0x00000201)
 00 02 00 00        Rid6 = 512 (0x00000200)

The SIDs encoded in the structure are as follows:

  • S-1-5-21-837636885-2507236029-1846428367-500

  • S-1-5-21-837636885-2507236029-1846428367-518

  • S-1-5-21-837636885-2507236029-1846428367-519

  • S-1-5-21-837636885-2507236029-1846428367-520

  • S-1-5-21-837636885-2507236029-1846428367-513

  • S-1-5-21-837636885-2507236029-1846428367-512