开发者

SAML 2.0 AuthnRequest AudienceRestriction

During a AuthnRequest, is there a case where the AudienceRestriction

<saml:AudienceRestriction>
  <saml:Audience>http://serviceprovider.com/</saml:Audience>
</saml:AudienceRestriction>

would be different from the Issuer in the AuthnRequest

   <?xml version="1.0" encoding="UTF-8"?>
  <saml2p:AuthnRequest 
       xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
       xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
       xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
       AssertionConsumerServiceURL="https://serviceprovider.com/acs/web/sso/receiveSamlAuthentication" 
      Destination="http://idp.net/idp/SSOPOST/metaAlias/realm2/IDP"
     ID="http://serviceprovider.com/acsdata/data/AcsConfiguration/821212" IssueInstant="2010-08-2开发者_JAVA技巧0T14:48:27.620Z" Version="2.0">
              <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://serviceprovider.com/</saml2:Issuer>
....
   </saml2p:AuthnRequest>


The SAML 2.0 Web Browser SSO Profile (from saml-profiles-2.0-os.pdf:566/577):

The assertion(s) containing a bearer subject confirmation MUST contain an AudienceRestriction including the service provider's unique identifier as an Audience

So, it seems as though it should always be the case that they are the same, at least to be conformant to the published profile.


Perhaps if you have one login application at one URL, and a "real" application at a different URL? Maybe not common, but hardly impossible; say, having login functionality over HTTPS and the application over HTTP.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜