SAML 2.0 AuthnRequest AudienceRestriction
During a AuthnRequest, is there a case where the AudienceRestriction
<saml:AudienceRestriction>
<saml:Audience>http://serviceprovider.com/</saml:Audience>
</saml:AudienceRestriction>
would be different from the Issuer in the AuthnRequest
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://serviceprovider.com/acs/web/sso/receiveSamlAuthentication"
Destination="http://idp.net/idp/SSOPOST/metaAlias/realm2/IDP"
ID="http://serviceprovider.com/acsdata/data/AcsConfiguration/821212" IssueInstant="2010-08-2开发者_JAVA技巧0T14:48:27.620Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://serviceprovider.com/</saml2:Issuer>
....
</saml2p:AuthnRequest>
The SAML 2.0 Web Browser SSO Profile (from saml-profiles-2.0-os.pdf:566/577):
The assertion(s) containing a bearer subject confirmation MUST contain an AudienceRestriction including the service provider's unique identifier as an Audience
So, it seems as though it should always be the case that they are the same, at least to be conformant to the published profile.
Perhaps if you have one login application at one URL, and a "real" application at a different URL? Maybe not common, but hardly impossible; say, having login functionality over HTTPS and the application over HTTP.
精彩评论