Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.0.0-milestone2, 2.7.10
-
None
-
Unknown
Description
The specification part related to "Audience Restriction" is implemented by CXF (opensaml) to verify syntax but it does not enforce the specification's rule of rejecting tokens that do not include in their "Audience Restriction" list of URIs - the URI of the target (this) service provider.
It seems like a gap in open-saml (ValidatorSuite / saml2-core-spec-validator). The proposal is to provide the fix in CXF by registering a new validator to saml2-core-spec-validator that will handle "Audience Restriction". For BWC, by default, this all thing should be disabled. Developer should be able to enable it via configuration and also set the entity-id (URI) representing the service provider URI.
“Audience Restriction” as described in SAML specification:
“The <AudienceRestriction> element specifies that the assertion is addressed to one or more specific audiences identified by <Audience> elements. Although a SAML relying party that is outside the audiences specified is capable of drawing conclusions from an assertion, the SAML asserting party explicitly makes no representation as to accuracy or trustworthiness to such a party”
