Hi;
As per [1] : (In [2] this is defined as <AudienceRestriction> )
<extract>
2.3.2.1.3 Elements <AudienceRestrictionCondition> and <Audience>
-----------------------------------------------------------------
The <AudienceRestrictionCondition> element specifies that the assertion
is addressed to one or
more specific audiences identified by <Audience> elements. Although a
SAML relying party that is
outside the audiences specified is capable of drawing conclusions from
an assertion, the SAML authority
explicitly makes no representation as to accuracy or trustworthiness to
such a party. It contains the
following elements:
<Audience>
-----------
A URI reference that identifies an intended audience. The URI reference
MAY identify a document
that describes the terms and conditions of audience membership.
The audience restriction condition evaluates to Valid if and only if the
SAML relying party is a member of
one or more of the audiences specified.
The SAML authority cannot prevent a party to whom the assertion is
disclosed from taking action on the
basis of the information provided. However, the
<AudienceRestrictionCondition> element allows
the SAML authority to state explicitly that no warranty is provided to
such a party in a machine- and
human-readable form. While there can be no guarantee that a court would
uphold such a warranty exclusion in
</extract>
This is an optional element, which we currently do not support.
I think it's logical to add an AudienceRestriction, by default to
"AppliesToAddress" - when present.
Thoughts?
Thanks & regards.
- Prabath
[1]:http://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf
[2]:http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
_______________________________________________
Identity-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/identity-dev
