Is it valid to have more than 1 <saml:assertions> in a SAML Token response

问题

I am trying to provide compatibility between an existing SAML token system with JWT token schema. The current system generates SAML tokens with a structure as follows:

Is it even valid to have more than one in a SAML token and if yes what would be the JWT representation for the below

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response ID="aed9fa15c020fde" InResponseTo="acd3a67cb14a1d94" IssueInstant="2015-02-18T18:58:14.262Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">......</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion ID="5d41027a4e2c2855" IssueInstant="2015-02-18T18:58:14.262Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">......</saml:Issuer>
    <saml:Subject>
      <saml:NameID NameQualifier="USER" SPProvidedID="1047259662">ab_idl1</saml:NameID>
    </saml:Subject>
    <saml:Conditions NotBefore="2015-02-18T18:48:14.262Z" NotOnOrAfter="2015-06-20T18:58:14.262Z"/>
  </saml:Assertion>
  <saml:Assertion ID="5ea9fbba7ab940c0" IssueInstant="2015-02-18T18:58:14.262Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>APPID-b1713f46d4e1</saml:Issuer>
    <saml:Subject>
      <saml:NameID NameQualifier="USER" SPProvidedID="1047259662">user_name_app_name</saml:NameID>
    </saml:Subject>
    <saml:Conditions NotBefore="2015-02-18T18:48:14.262Z" NotOnOrAfter="2015-06-20T18:58:14.262Z"/>
    <saml:AttributeStatement>
      <saml:Attribute FriendlyName="user_id1" Name="user_id">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user_name_app_name</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

回答1:

The SAML specification allows for including multiple assertions in a single response but there are not a lot of SAML implementations out there that would be able to produce such a SAML message or consume it.

A comparable JWT representation would probably consist of two claims ("5d41027a4e2c2855" and "5ea9fbba7ab940c0" with their values set to a nested JWT object that includes the attributes name/value pairs. There's no formal mapping between a SAML assertion and a JWT.

来源：https://stackoverflow.com/questions/28592636/is-it-valid-to-have-more-than-1-samlassertions-in-a-saml-token-response