Status: Verified (View Workflow)
Affects Version/s: 7.2.0.GA
Git Pull Request:
The audience restriction check implemented in
PLINK-678 is too strict in that it only accepts the service URL as a valid audience. However, the SAML 2.0 specification (section 22.214.171.124) defines the audience restriction otherwise:
A URI reference that identifies an intended audience. The URI reference MAY identify a document
that describes the terms and conditions of audience membership. It MAY also contain the unique
identifier URI from a SAML name identifier that describes a system entity (see Section 8.3.6).
Section 8.3.6 refers to the use of entity IDs (e.g. as defined in the SP metadata).
Shibboleth IdP 3.0 uses the SP's entity ID as the value for the audience restriction, which causes PicketLink to fail the authentication process. Here are the relevant XML fragments:
Section 126.96.36.199 of the SAML 2.0 specification also states:
Although a SAML relying party that is outside the
audiences specified is capable of drawing conclusions from an assertion, the SAML asserting party
explicitly makes no representation as to accuracy or trustworthiness to such a party.
This seems to suggest that the audience restriction check should be optional (i.e. subject to configuration) rather than being enforced unconditionally.