Both bootstraps illustrate SAML assertion as bearer token.
<soap:Envelope
xmlns:lib="urn:liberty:iff:2003-08"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<soap:Body>
<sp:ArtifactResponse
xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="REvgoIIlkzTmk-aIX6tKE"
InResponseTo="RfAsltVf2"
IssueInstant="2007-02-10T05:38:15Z"
Version="2.0">
<sa:Issuer
xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://a-idp.liberty-iop.org:8881/idp.xml</>
<sp:Status>
<sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></>
<sp:Response
xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="RCCzu13z77SiSXqsFp1u1"
InResponseTo="NojFIIhxw"
IssueInstant="2007-02-10T05:37:42Z"
Version="2.0">
<sa:Issuer
xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://a-idp.liberty-iop.org:8881/idp.xml</>
<sp:Status>
<sp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></>
<sa:Assertion
xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ASSE6bgfaV-sapQsAilXOvBu"
IssueInstant="2007-02-10T05:37:42Z"
Version="2.0">
<sa:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://a-idp.liberty-iop.org:8881/idp.xml</>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#ASSE6bgfaV-sapQsAilXOvBu">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>r8OvtNmq5LkYwCNg6bsRZAdT4NE=</></></>
<ds:SignatureValue>GtWVZzHYW54ioHk/C7zjDRThohrpwC4=</></>
<sa:Subject>
<sa:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://a-idp.liberty-iop.org:8881/idp.xml">PB5fLIA4lRU2bH4HkQsn9</>
<sa:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<sa:SubjectConfirmationData
NotOnOrAfter="2007-02-10T06:37:41Z"
Recipient="https://sp1.zxidsp.org:8443/zxidhlo?o=B"/></></>
<sa:Conditions
NotBefore="2007-02-10T05:32:42Z"
NotOnOrAfter="2007-02-10T06:37:42Z">
<sa:AudienceRestriction>
<sa:Audience>https://sp1.zxidsp.org:8443/zxidhlo?o=B</></></>
<sa:Advice>
<!-- This assertion is the credential for the ID-WSF 1.1 bootstrap (below). -->
<sa:Assertion
ID="CREDOTGAkvhNoP1aiTq4bXBg"
IssueInstant="2007-02-10T05:37:42Z"
Version="2.0">
<sa:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://a-idp.liberty-iop.org:8881/idp.xml</>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#CREDOTGAkvhNoP1aiTq4bXBg">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>dqq/28hw5eEv+ceFyiLImeJ1P8w=</></></>
<ds:SignatureValue>UKlEgHKQwuoCE=</></>
<sa:Subject>
<sa:NameID/> <!-- *** Bug here!!! -->
<sa:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></>
<sa:Conditions
NotBefore="2007-02-10T05:32:42Z"
NotOnOrAfter="2007-02-10T06:37:42Z">
<sa:AudienceRestriction>
<sa:Audience>https://sp1.zxidsp.org:8443/zxidhlo?o=B</></></></></>
<sa:AuthnStatement
AuthnInstant="2007-02-10T05:37:42Z"
SessionIndex="1171085858-4">
<sa:AuthnContext>
<sa:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password</></></>
<sa:AttributeStatement>
<!-- Regular attribute -->
<sa:Attribute
Name="cn"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<sa:AttributeValue>Sue</></>
<!-- ID-WSF 1.1 Bootstrap for discovery. See also the Advice, above. -->
<sa:Attribute
Name="DiscoveryResourceOffering"
NameFormat="urn:liberty:disco:2003-08">
<sa:AttributeValue>
<di12:ResourceOffering
xmlns:di12="urn:liberty:disco:2003-08"
entryID="2">
<di12:ResourceID>
https://a-idp.liberty-iop.org/profiles/WSF1.1/RID-DISCO-sue</>
<di12:ServiceInstance>
<di12:ServiceType>urn:liberty:disco:2003-08</>
<di12:ProviderID>https://a-idp.liberty-iop.org:8881/idp.xml</>
<di12:Description>
<di12:SecurityMechID>urn:liberty:security:2005-02:TLS:Bearer</>
<di12:CredentialRef>CREDOTGAkvhNoP1aiTq4bXBg</>
<di12:Endpoint>https://a-idp.liberty-iop.org:8881/DISCO-S</></></>
<di12:Abstract>Symlabs Discovery Service Team G</></></></>
<!-- ID-WSF 2.0 Bootstrap for Discovery. The credential (bearer token) is inline. -->
<sa:Attribute
Name="urn:liberty:disco:2006-08:DiscoveryEPR"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<sa:AttributeValue>
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
notOnOrAfter="2007-02-10T07:37:42Z"
wsu:Id="EPRIDcjP8ObO9In47SDjO9b37">
<wsa:Address>https://a-idp.liberty-iop.org:8881/DISCO-S</>
<wsa:Metadata xmlns:di="urn:liberty:disco:2006-08">
<di:Abstract>SYMfiam Discovery Service</>
<sbf:Framework xmlns:sbf="urn:liberty:sb" version="2.0"/>
<di:ProviderID>https://a-idp.liberty-iop.org:8881/idp.xml</>
<di:ServiceType>urn:liberty:disco:2006-08</>
<di:SecurityContext>
<di:SecurityMechID>urn:liberty:security:2005-02:TLS:Bearer</>
<sec:Token
xmlns:sec="urn:liberty:security:2006-08"
usage="urn:liberty:security:tokenusage:2006-08:SecurityToken">
<sa:Assertion
ID="CREDV6ZBMyicmyvDq9pLIoSR"
IssueInstant="2007-02-10T05:37:42Z"
Version="2.0">
<sa:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://a-idp.liberty-iop.org:8881/idp.xml</>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#CREDV6ZBMyicmyvDq9pLIoSR">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>o2SgbuKIBzl4e0dQoTwiyqXr/8Y=</></></>
<ds:SignatureValue>hHdUKaZ//cZ8UYJxvTReNU=</></>
<sa:Subject>
<sa:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://a-idp.liberty-iop.org:8881/idp.xml">
9my93VkP3tSxEOIb3ckvjLpn0pa6aV3yFXioWX-TzZI=</>
<sa:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></>
<sa:Conditions
NotBefore="2007-02-10T05:32:42Z"
NotOnOrAfter="2007-02-10T06:37:42Z">
<sa:AudienceRestriction>
<sa:Audience>https://a-idp.liberty-iop.org:8881/idp.xml</></></>
<sa:AuthnStatement AuthnInstant="2007-02-10T05:37:42Z">
<sa:AuthnContext>
<sa:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password</></></></></></></></></></></></></></></></>
N.B. The AttributeStatement/Attribute/AttributeValue/EndpointReference/Metadata/ SecurityContext/Token/Assertion/Conditions/AudienceRestriction/Audience is the same as the IdP because in many products the IdP and Discovery Service roles are implemented by the same entity. Note also that the audience of the inner assertion is the discovery service where as the audience of the outer assertion is the SP that will eventually call the Discovery Service.