TechQA.

SAML 2.0 AuthnRequest AudienceRestriction

3.9k views Asked by At

During a AuthnRequest, is there a case where the AudienceRestriction

<saml:AudienceRestriction>
  <saml:Audience>http://serviceprovider.com/</saml:Audience>
</saml:AudienceRestriction>

would be different from the Issuer in the AuthnRequest

   <?xml version="1.0" encoding="UTF-8"?>
  <saml2p:AuthnRequest 
       xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
       xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
       xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
       AssertionConsumerServiceURL="https://serviceprovider.com/acs/web/sso/receiveSamlAuthentication" 
      Destination="http://idp.net/idp/SSOPOST/metaAlias/realm2/IDP"
     ID="http://serviceprovider.com/acsdata/data/AcsConfiguration/821212" IssueInstant="2010-08-20T14:48:27.620Z" Version="2.0">
              <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://serviceprovider.com/</saml2:Issuer>
....
   </saml2p:AuthnRequest>
saml opensso
Original Q&A
2

There are 2 answers

0
Scott T. On BEST ANSWER

The SAML 2.0 Web Browser SSO Profile (from saml-profiles-2.0-os.pdf:566/577):

The assertion(s) containing a bearer subject confirmation MUST contain an AudienceRestriction including the service provider's unique identifier as an Audience

So, it seems as though it should always be the case that they are the same, at least to be conformant to the published profile.

0
user On

Perhaps if you have one login application at one URL, and a "real" application at a different URL? Maybe not common, but hardly impossible; say, having login functionality over HTTPS and the application over HTTP.

Related Questions in SAML

Related Questions in OPENSSO

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions