What is the purpose of AudienceRestriction in SAML 2.0?

  • Having read through the core specification for SAML 2.0 section (page 23) I still cannot fully understand the purpose of the AudienceRestriction tag and what problem it is attempting to rectify.

    My, probably incorrect, interpretation of the AudienceRestriction tag is that it facilitates a sort of intention statement declaring for what specific URI with the SP a given assertion is valid.

    Would very much appreciate if someone could explain (a) the purpose of the tag and (b) a typical use-case scenario and (c) any potential implications of it's exclusion and/or misuse.

  • SAML 2.0 AudienceRestriction is pretty much what you have gathered. It is a validity condition for an assertion. In particular it declares that the assertion's semantics are only valid for the relying party named by URI in that element.

    The purpose is to restrict the conditions under which the assertion is valid, and to optionally provide terms and conditions relating to such validity. So the semantics of the element have to do with the scope and conditions of the trust relationships. From SAML 2.0 Core, Section

    Although a SAML relying party that is outside the audiences specified is capable of drawing conclusions from an assertion, the SAML asserting party explicitly makes no representation as to accuracy or trustworthiness to such a party...

    ...the <AudienceRestriction> element allows theSAML asserting party to state explicitly that no warranty is provided to such a party in a machine- andhuman-readable form. While there can be no guarantee that a court would uphold such a warrantyexclusion in every circumstance, the probability of upholding the warranty exclusion is considerably improved...

    I.e., it's not a code thing but a human (risk management/warranty/trust) thing. If it's used incorrectly modules tend to throw errors - most SP's expect themselves to be listed in the AudienceRestriction.

    Where is that quote from?

    I will add the attribution, sorry.

    I see this as one (of many) ways of reducing replay-attacks. You cannot capture a SAML-assertion valid in one context and reuse it in another context.

    @RolfRander Wont recipient solve that?

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM

Tags used