SAML 2.0 AuthnRequest AudienceRestriction_问答_开发者

SAML 2.0 AuthnRequest AudienceRestriction

开发者 https://www.devze.com 2023-02-14 16:21 出处：网络

During a AuthnRequest, is there a case where the AudienceRestriction <saml:AudienceRestriction> <saml:Audience>http://serviceprovider.com/</saml:Audience>

相关专题：opensso saml

During a AuthnRequest, is there a case where the AudienceRestriction

<saml:AudienceRestriction>
  <saml:Audience>http://serviceprovider.com/</saml:Audience>
</saml:AudienceRestriction>

would be different from the Issuer in the AuthnRequest

   <?xml version="1.0" encoding="UTF-8"?>
  <saml2p:AuthnRequest 
       xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
       xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
       xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
       AssertionConsumerServiceURL="https://serviceprovider.com/acs/web/sso/receiveSamlAuthentication" 
      Destination="http://idp.net/idp/SSOPOST/metaAlias/realm2/IDP"
     ID="http://serviceprovider.com/acsdata/data/AcsConfiguration/821212" IssueInstant="2010-08-2开发者_JAVA技巧0T14:48:27.620Z" Version="2.0">
              <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://serviceprovider.com/</saml2:Issuer>
....
   </saml2p:AuthnRequest>

The SAML 2.0 Web Browser SSO Profile (from saml-profiles-2.0-os.pdf:566/577):

The assertion(s) containing a bearer subject confirmation MUST contain an AudienceRestriction including the service provider's unique identifier as an Audience

So, it seems as though it should always be the case that they are the same, at least to be conformant to the published profile.

Perhaps if you have one login application at one URL, and a "real" application at a different URL? Maybe not common, but hardly impossible; say, having login functionality over HTTPS and the application over HTTP.