...
Obviously the assertion is likely to contain arbitrary attribute information that the Portal or Portlets can consume directly. The example uses a transient <saml:NameID>
element for the principal, but this needn't be assumed. It is left unencrypted because the assertion is only shared between the Portal and the IdP.
One of the attributes is not specifically about the user but tells the Portal how it can contact the IdP's IS-WSF Single Sign-On Service using the assertion as an authentication token. The EPR includes the location, the security mechanism, and a pointer to the token to use, in this case the enclosing assertion.
Finally, note the assertion lifetime is set at one hour. The implication is that the assertion is only usable at the IdP for that duration. It has no implications for the lifetime of the user's session with the Portal itself. This period can obviously be set as desired.
...