What is the connection between acts of authentication and SAML authentication assertions?
Any entity that can authenticate another entity (verify its identity) can potentially act as an authentication authority and issue a SAML authentication assertion. It is up to relying parties, for example a PDP, to decide what authentication authorities it chooses to trust. The means of ensuring that the entity making a request and the entity referred to by an assertion are one and the same is dependent on the environment and protocols being used. The general mechanism provided is the SubjectConfirmation element, which is intended to carry data appropriate to the environment. Possible mechanisms include an artifact encoded in a URL, a Kerberos service ticket, or a public key associated with signature on a document. SAML profiles will specify the details for different situations. It is expected that others besides the SAML Technical Committee will define other schemes appropriate for other enviroments. They might or might not publish these as profiles, but doing so ensures greater inter
