Hi, You can override the default SAML Audience restriction validation via the "security.audience-restrictions" configuration property:
http://cxf.apache.org/docs/security-configuration.html ----- security.audience-restrictions CXF 3.1.13 A comma separated String corresponding to a list of audience restriction URIs. The default value for this property contains the request URL and the Service QName. If the AUDIENCE_RESTRICTION_VALIDATION property is "true", and if a received SAML Token contains audience restriction URIs, then one of them must match one of the values specified in this property. ----- Colm. On Fri, Jan 17, 2020 at 4:34 PM RobCodes <[email protected]> wrote: > We are currently implementing a client to consume an external SOAP service > which provides a SAML assertion in the response. The external service > controls both the SP and IDP thus our client receives a single response > with > the data from the original request and a SAML assertion for use in > subsequent requests. > > Currently the checkAudienceRestrictions is failing on the response. We > aware > of the post recommending an override of the SamlAssertionValidator class's > checkConditions method > ( > http://cxf.547215.n5.nabble.com/CXF-Support-in-quot-Audience-Restriction-quot-of-SAML-2-td5742313.html > ) > but are not certain this is the best approach for this problem. > > We have two goals. > > 1. Extract the audience being used by CXF to validate the audiences in the > response. > 2. Overwrite the default or, add to the CXF audience list the audience we > expect from the SP. > > From Colm's blog post (New SAML validation changes in Apache WSS4J and CXF) > we understand the ability to supply audience restrictions was implemented > in > previous versions. Is this the better way to go about this and if so, how > is > a list of audience restrictions supplied? > > We are using AdoptOpenJDK 11 (LTS) and Apache CXF 3.3.4. > > Thanks, > Rob > > > > ----- > Regards, > RobCodes > -- > Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html >
