Validate SAML Audience URIs
The Validate SAML Audience URIs policy is used to validate the Audience Restriction in the conditions section of the SAML assertion. It verifies whether any of the valid Audience URI within one valid condition element in SAML assertion matches with any of the configured URI. If two conditions are available, then one of the audience URIs in the first condition, and one of the audience URIs in the second condition must match with any of the configured URIs in this policy for the virtual service.
This policy is used in the following scenarios:
When the native service is enforced with the SAML policy and if the service provider wants to delegate Audience Restriction validation to
Mediator.
When SAML policy is enforced for the virtual service in
Mediator.
For more information on Audience URI, see conditions and audience restriction sections in the SAML specification available in the
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf location.
Input Parameters
URI | (URI). The audience URI. |
Match Criteria | To match the values, select one of the following values: |
Value | Description |
Allow Sublevels | Any one of the audience URI in the incoming SAML assertion either has to be an exact match or it can have sub paths to the configured URI. For example, if http://yahoo.com is configured as the URI and the Allow Sublevels option is selected, the audience URI has http://yahoo.com/mygroup and condition is matched because the main URI matches with the configured URI (http://yahoo.com). The extra path mygroup is a sublevel path. |
Exact match | (Default). Any one of the audience URI in the incoming SAML assertion is verified for the exact match with the configured URI. For example, if http://yahoo.com is configured as the URI and the Exact match option is selected, the audience URI must be configured with http://yahoo.com in order to match the condition. |