CentraSite Documentation : Runtime Governance with CentraSite : Run-Time Governance Reference : Built-In Run-Time Actions Reference for APIs : Run-Time Actions Reference : Validate SAML Audience URIs
Validate SAML Audience URIs
The Validate SAML Audience URIs policy is used to validate the Audience Restriction in the conditions section of the SAML assertion. It verifies whether any of the valid Audience URI within one valid condition element in SAML assertion matches with any of the configured URI. If two conditions are available, then one of the audience URIs in the first condition, and one of the audience URIs in the second condition must match with any of the configured URIs in this policy for the virtual service.
This policy is used in the following scenarios:
*When the native service is enforced with the SAML policy and if the service provider wants to delegate Audience Restriction validation to Mediator.
*When SAML policy is enforced for the virtual service in Mediator.
For more information on Audience URI, see conditions and audience restriction sections in the SAML specification available in the https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf location.
Input Parameters
The table lists the input parameters to be configured based on the routing options:
Input Parameters
URI
URI. Mandatory. The audience URI.
Click to add a new URI.
Click to delete a URI.
Match Criteria
To match the values, select one of the following values:
Value
Description
Allow Sublevels
Any one of the audience URI in the incoming SAML assertion either have to be an exact match or it can have sub paths to the configured URI. For example, if http://yahoo.com is configured as the URI and the Allow Sublevels option is selected, the audience URI has http://yahoo.com/mygroup and condition is matched because the main URI matches with the configured URI (http://yahoo.com). The extra path "mygroup" is a sublevel path.
Exact match
Default. Any one of the audience URI in the incoming SAML assertion are verified for the exact match with the configured URI. For example, if http://yahoo.com is configured as the URI and the Exact match option is selected, the audience URI must be configured with http://yahoo.com inorder to match the condition.
Copyright © 2005-2016 Software AG, Darmstadt, Germany.

Product LogoContact Support   |   Community   |   Feedback