CODEWITHSUNDEEP
samlopensso
jon077
jon077

Reputation: 10449

SAML 2.0 AuthnRequest AudienceRestriction

During a AuthnRequest, is there a case where the AudienceRestriction

<saml:AudienceRestriction>
  <saml:Audience>http://serviceprovider.com/</saml:Audience>
</saml:AudienceRestriction>

would be different from the Issuer in the AuthnRequest

   <?xml version="1.0" encoding="UTF-8"?>
  <saml2p:AuthnRequest 
       xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
       xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
       xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
       AssertionConsumerServiceURL="https://serviceprovider.com/acs/web/sso/receiveSamlAuthentication" 
      Destination="http://idp.net/idp/SSOPOST/metaAlias/realm2/IDP"
     ID="http://serviceprovider.com/acsdata/data/AcsConfiguration/821212" IssueInstant="2010-08-20T14:48:27.620Z" Version="2.0">
              <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://serviceprovider.com/</saml2:Issuer>
....
   </saml2p:AuthnRequest>

Upvotes: 0

Views: 4152

Answers (2)

Scott T.
Scott T.

Reputation: 6272

The SAML 2.0 Web Browser SSO Profile (from saml-profiles-2.0-os.pdf:566/577):

The assertion(s) containing a bearer subject confirmation MUST contain an AudienceRestriction including the service provider's unique identifier as an Audience

So, it seems as though it should always be the case that they are the same, at least to be conformant to the published profile.

Upvotes: 1

user
user

Reputation: 6947

Perhaps if you have one login application at one URL, and a "real" application at a different URL? Maybe not common, but hardly impossible; say, having login functionality over HTTPS and the application over HTTP.

Upvotes: 0

Related Questions