Explanation/Reference:
SAML defines the syntax and semantics for creating XML-encoded assertions to describe authentication, attribute, and authorization (entitlement) information, and for the protocol messages to carry this information between systems. A brief description of the three SAML assertions is provided below.
* Authentication Assertion (not A) - Generated by the authority when a subject successfully authenticates.
It includes identity of the issuer and the principal, time of authentication, and how long it is valid. Many authentication methods are supported, including: passwords, Kerberos, hardware tokens, certificate-based client authentication (SSL/TLS), X.509 public key, PGP, XML digital signature, etc.
* Authorization Decision Assertion (not B) - Issued by a policy decision point (PDP) containing the result of an access control decision. Authentication and attribute assertions may be provided in order to make authorization decisions. The resulting authorization assertion is used to claim access to protected resources. It includes the decision (Permit or Deny), along with the resource URI being accessed, and the action that the principal is authorized to perform.
* Attribute Assertion (not D)- Generally issued by the authority in response to a request containing an authentication assertion. It contains a collection of attribute name/value pairs, in addition to identity and other elements. Attribute assertions can be passed to the authority when authorization decisions need to be made.
Reference: Oracle Reference Architecture, Security , Release 3.1