Hi, We have encountered an issue where https://example.com and https://example.com:443 don’t match when included in SAML audience restrictions.
As far as I can tell this is because the code to validate matching is just basic string comparison (And should probably use Sets rather than Lists): https://github.com/apache/ws-wss4j/blob/74df6178e87edbf28b267845c7dcaa5203df5eca/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java#L902 Using java.net.URI to resolve this would be handy – also as the actual type that should be parsed from the SAML, not String, since the type in the xsd is anyURI… I don’t see a security issue here, and the specs for the saml core recommend doing it for at least the authz stuff. Nimish