Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-15838

[GSS](7.1.z) PLINK-692 - Audience restriction check is too strict


      The audience restriction check implemented in PLINK-678 is too strict in that it only accepts the service URL as a valid audience. However, the SAML 2.0 specification (section defines the audience restriction otherwise:

      A URI reference that identifies an intended audience. The URI reference MAY identify a document
      that describes the terms and conditions of audience membership. It MAY also contain the unique
      identifier URI from a SAML name identifier that describes a system entity (see Section 8.3.6).

      Section 8.3.6 refers to the use of entity IDs (e.g. as defined in the SP metadata).

      Shibboleth IdP 3.0 uses the SP's entity ID as the value for the audience restriction, which causes PicketLink to fail the authentication process. Here are the relevant XML fragments:

      <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="urn:samltest:picketlink-wildfly8">
      <!-- Contents here -->
      SAML Response
              <saml2:Conditions NotBefore="2015-03-05T16:16:05.277Z" NotOnOrAfter="2015-03-05T16:21:05.277Z">

      Section of the SAML 2.0 specification also states:

      Although a SAML relying party that is outside the
      audiences specified is capable of drawing conclusions from an assertion, the SAML asserting party
      explicitly makes no representation as to accuracy or trustworthiness to such a party.

      This seems to suggest that the audience restriction check should be optional (i.e. subject to configuration) rather than being enforced unconditionally.

            rhn-support-ivassile Ilia Vassilev
            rhn-support-ivassile Ilia Vassilev
            0 Vote for this issue
            4 Start watching this issue