Share via

3.1.1.4 Claim

  • Article

A security token MAY<40> contain an AttributeStatement, with one or more Attribute elements, each of which contains a single claim, as specified in section 2.2.4.2. A claim is uniquely identified by its AttributeName attribute and <AttributeValue> element.

This protocol restricts the syntax and the interpretation of the semantics of these five claims to the following definitions. See section 2.2.4.2 for further specification on the AttributeStatement element of a security token and the usage of AttributeName, AttributeNamespace, and <AttributeValue> in the following claim definitions:

EmailAddress claim (optional): This claim is used to identify a Subject via an email address.

  • The AttributeName attribute MUST be "EmailAddress".

  • The AttributeNamespace attribute MUST be the URL http://schemas.xmlsoap.org/claims.

  • The <AttributeValue> element content MUST conform to "addr-spec", as specified in [RFC2822]. The value MUST be unique within the security realm of the requestor IP/STS that issued the security token such that a relying party could use it to make an access control decision.

  • When this claim is used for the value of the Subject/NameIdentifier element of an AuthenticationStatement or AttributeStatement, the value of the Format attribute MUST be URI urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

UPN claim (optional): This claim is used to identify a Subject via a UPN.

  • The AttributeName attribute MUST be "UPN".

  • The AttributeNamespace attribute MUST be URL http://schemas.xmlsoap.org/claims.

  • The <AttributeValue> element content MUST be a UPN. The value MUST be unique within the security realm of the requestor IP/STS that issued the security token such that a relying party could use it to make an access control decision.

  • When this claim is used for the value of the Subject/NameIdentifier element of an AuthenticationStatement or AttributeStatement, the value of the Format attribute MUST be the URL http://schemas.xmlsoap.org/claims/UPN.

CommonName claim (optional): This claim is used to identify a Subject via a common name (CN) value consistent with X.500 naming conventions.

  • The AttributeName attribute MUST be "CommonName".

  • The AttributeNamespace attribute MUST be the URL http://schemas.xmlsoap.org/claims.

  • The <AttributeValue> element content MUST conform to CommonName, as specified in [X500]. The value of this claim is not necessarily unique and MUST NOT be used by a relying party to make an access control decision. It is suitable for displaying a friendly name for personalization.

  • When this claim is used for the value of the Subject/NameIdentifier element of an AuthenticationStatement or AttributeStatement, the value of the Format attribute MUST be the URL http://schemas.xmlsoap.org/claims/CommonName.

Group claim (optional): This claim is used to indicate the association of the subject with other users that share a common characteristic. The semantic meaning of that association is application specific, but the common interpretation is group or role membership.

  • The AttributeName attribute MUST be "Group".

  • The AttributeNamespace attribute MUST be the URL http://schemas.xmlsoap.org/claims.

  • The <AttributeValue> element content MUST be a string.

For more information about Group claims, see Appendix A: Windows Behavior.<41>

Implementations MAY define additional claims with prior agreement between federation partners and MUST conform to the following structure:<42>

Custom claim (optional): This claim is used to identify an application-specific attribute possessed by the subject.

  • The AttributeName attribute MUST be a string constant, per agreement between federation partners.

  • The AttributeNamespace attribute SHOULD be the URL http://schemas.xmlsoap.org/claims.

  • The <AttributeValue> element content MAY be an arbitrary data type per agreement between federation partners.