3.1.5.4.6 SAML Assertion Construction
Having assembled the required set of claims, the IP/STS constructs a security token according to the SAML 1.1 assertion syntax specified in section 2.2.4.2. The relying party's identity MUST be used to populate the Audience element of the required AuthenticationStatement. From the Authentication Context, AuthIdentity, AuthMethod, and AuthTime MUST be used to populate the Subject element, AuthenticationMethod attribute, and AuthenticationInstant, respectively, of the AuthenticationStatement. Additional claims required by the relying party MUST be placed in separate Attribute elements in the AttributeStatement.
As specified in section 2.2.4.1, the security token MUST be encoded as a wst:RequestSecurityTokenResponse and returned in the wresult parameter of the wsignin1.0 response message. The IP/STS MAY encrypt the security token as described in section 2.2.4.1.