CentraSite 10.5 | CentraSite User’s Guide | Runtime Governance | Run-Time Policy Management | Built-In Run-Time Actions Reference (CentraSite Business UI) | Built-in Actions for Run-Time Policies (CentraSite Business UI) | Validate SAML Audience URIs
 
Validate SAML Audience URIs
The Validate SAML Audience URIs policy is used to validate the Audience Restriction in the conditions section of the SAML assertion. It verifies whether any of the valid Audience URI within one valid condition element in SAML assertion matches with any of the configured URI. If two conditions are available, then one of the audience URIs in the first condition, and one of the audience URIs in the second condition must match with any of the configured URIs in this policy for the virtual service.
This policy is used in the following scenarios:
*When the native service is enforced with the SAML policy and if the service provider wants to delegate Audience Restriction validation to Mediator.
*When SAML policy is enforced for the virtual service in Mediator.
For more information on Audience URI, see conditions and audience restriction sections in the SAML specification available in the https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf location.
Input Parameters
URI
(URI). The audience URI.
Match Criteria
To match the values, select one of the following values:
Value
Description
Allow Sublevels
Any one of the audience URI in the incoming SAML assertion either has to be an exact match or it can have sub paths to the configured URI. For example, if http://yahoo.com is configured as the URI and the Allow Sublevels option is selected, the audience URI has http://yahoo.com/mygroup and condition is matched because the main URI matches with the configured URI (http://yahoo.com). The extra path mygroup is a sublevel path.
Exact match
(Default). Any one of the audience URI in the incoming SAML assertion is verified for the exact match with the configured URI. For example, if http://yahoo.com is configured as the URI and the Exact match option is selected, the audience URI must be configured with http://yahoo.com in order to match the condition.