What is the use of SAML audience tag ? How can we ...

adevegowda · 08-10-2015 10:37 AM

SAML has the "audience" tag as shown in the below example:

        <saml:AudienceRestriction>
          <saml:Audience>https://sp.example.com/SAML2</saml:Audience>
        </saml:AudienceRestriction>

Can someone explain what is the use of this tag? And how can we validate this tag in Apigee ?

anilsr

Dear @AMAR DEVEGOWDA ,

See similar question answered here in Security Stack Exchange. A blog article related to same that has good explanation.

Cheers,

Anil Sagar

adevegowda

@Anil Sagar,

Thanks for sharing the links.

gnanasekaran

Adding to Anil's answer,

In simple terms - it basically identifies the audience [Service providers] to whom this assertion is intended for.

Typically, you will identify your service in your identity provider by a name [for eg, https://sp.example.com/SAML2], IDP can add audience element with this identifier. So in this case, if you are validating at Apigee - you would, typically, have an id associated for Apigee [lets say http://sp.apigee.net/saml], you can check if your ID is present in the Audience element.

Pls refer http://apigee.com/docs/api-services/reference/saml-assertion-policy on SAML validation

This policy does not validate the Audience, so you can extract the Audience using XPath and check for the validity of the same.

adevegowda

@Mukundha Madhavan

Thanks for answering both the questions. I will try to use XPath to validate the audience tag.

What is the use of SAML audience tag ? How can we validate this in Apigee ?