<saml:Assertion
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   xmlns:xs="http://www.w3.org/2001/XMLSchema"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   Version="2.0"

   ID="urn:uuid:f7eca768-59c0-11e0-bf7d-fbbaa0f3405c"

   IssueInstant="2004-12-05T09:22:05Z">

   <saml:Issuer>https://cn.dataone.org/identity</saml:Issuer>
   <ds:Signature
     xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
   <saml:Subject>
     <saml:NameID
       Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
       SPProvidedID="CN=Some User,O=University One,C=US">
       uid=jones,o=NCEAS,dc=ecoinformatics,dc=org
     </saml:NameID>
     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
       <saml:SubjectConfirmationData Address="10.0.45.21" />
     </saml:SubjectConfirmation>
   </saml:Subject>
   <saml:Conditions
     NotBefore="2004-12-05T09:17:05Z"
     NotOnOrAfter="2004-12-05T09:27:05Z">
   </saml:Conditions>
   <saml:AuthnStatement AuthnInstant="2010-11-25T13:15:13Z">
     <saml:AuthnContext>
       <saml:AuthnContextClassRef>
         urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
       </saml:AuthnContextClassRef>
       <!-- Note: One might also use X509 certs to authenticate, in which case the
            context class would be:
            urn:oasis:names:tc:SAML:2.0:ac:classes:X509
       -->
     </saml:AuthnContext>
   </saml:AuthnStatement>
   <saml:AttributeStatement>
     <saml:Attribute
       xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
       x500:Encoding="LDAP"
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       Name="urn:oid:2.5.4.42"
       FriendlyName="givenName">
       <saml:AttributeValue xsi:type="xs:string">Tom</saml:AttributeValue>
     </saml:Attribute>
     <saml:Attribute
       xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
       x500:Encoding="LDAP"
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       Name="urn:oid:2.5.4.4"
       FriendlyName="sn">
       <saml:AttributeValue xsi:type="xs:string">Thumb</saml:AttributeValue>
     </saml:Attribute>
     <saml:Attribute
       xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
       x500:Encoding="LDAP"
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26"
       FriendlyName="mail">
       <saml:AttributeValue xsi:type="xs:string">someone@gmail.com</saml:AttributeValue>
     </saml:Attribute>
     <saml:Attribute
       xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
       x500:Encoding="LDAP"
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       Name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"
       FriendlyName="isMemberOf">
       <saml:AttributeValue xsi:type="xs:string">
         cn=staff,o=NCEAS,dc=dataone,dc=org
       </saml:AttributeValue>
     </saml:Attribute>
     <saml:Attribute 
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       Name="urn:oasis:names:tc:SAML:2.0:profiles:session:sessionId"
       FriendlyName="sessionId"
       xsi:type="xs:string">urn:uuid:f7eca768-59c0-11e0-bf7d-fbbaa0f3405c
     </saml:Attribute>
     <saml:Attribute 
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       Name="urn:dataone:attributenames:equivalentIdentity"
       FriendlyName="equivalentIdentity"
       xsi:type="xs:string">mbjones@NCEAS
     </saml:Attribute>
     <saml:Attribute 
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       Name="urn:dataone:attributenames:equivalentIdentity"
       FriendlyName="equivalentIdentity"
       xsi:type="xs:string">
         /DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Matthew Jones A332
     </saml:Attribute>
   </saml:AttributeStatement>
</saml:Assertion>