Hi Hannes,
I wanted to point out that use of the term "audience" in this document
is not consistent with the SAML 2.0 specification.
What you are referring to here as "audience" corresponds to
<saml:destination> which is described as
[quote-saml2.0]
Destination [Optional]
A URI reference indicating the address to which this request has been
sent. This is useful to prevent
malicious forwarding of requests to unintended recipients, a protection
that is required by some
protocol bindings. If it is present, the actual recipient MUST check
that the URI reference identifies the
location at which the message was received. If it does not, the request
MUST be discarded. Some
protocol bindings may require the use of this attribute (see [SAMLBind]).
[\quote]
In contrast, <saml:audience> is a means of /limiting the liability of
the asserting party /and is described
in the following manner -
[quote-saml2.0]
<Audience>
A URI reference that identifies an intended audience. The URI reference
MAY identify a document
that describes the terms and conditions of audience membership. It MAY
also contain the unique
identifier URI from a SAML name identifier that describes a system
entity (see Section 8.3.6).
The audience restriction condition evaluates to Valid if and only if the
SAML relying party is a member of
one or more of the audiences specified.
The SAML asserting party cannot prevent a party to whom the assertion is
disclosed from taking action on
the basis of the information provided. However, the
<AudienceRestriction> element allows the
SAML asserting party to state explicitly that no warranty is provided to
such a party in a machine- and
human-readable form. While there can be no guarantee that a court would
uphold such a warranty
exclusion in every circumstance, the probability of upholding the
warranty exclusion is considerably
improved.
[\quote]
- prateek
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
