Configuring validation for the AudienceRestriction element
You can configure validation for the AudienceRestriction
value in a SAML response.
About this task
For any identity provider (IdP) connection configured with multiple virtual server IDs, the AudienceRestriction
value in a SAML response must match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message.
You can disregard this validation condition on a per-connection basis.
Steps
-
Edit the
org.sourceid.saml20.util.VirtualIdentityUtil.xml
file, located in the<pf_install>/pingfederate/server/default/data/config-store
directory. -
Optionally, if you want to disregard the validation condition for an IdP connection, add its Partner’s Entity ID value as an entry inside the
c:map
element.Example:
<?xml version="1.0" encoding="UTF-8"?> <c:config xmlns:c="http://www.sourceid.org/2004/05/config"> <c:map name="AllowAnyVirtualServerIdInAudience"> <c:item name="www.example.com"/> <c:item name="www.example.org"/> </c:map> </c:config>
Result:
In this example, the first entry adds the IdP connection with a Partner’s Entity ID of
www.example.com
to the list. This is so that PingFederate no longer returns an error if theAudienceRestriction
value in a SAML response does not match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message. The second entry has the same effect for the IdP connection with a Partner’s Entity ID ofwww.example.org
. -
Save your changes.
-
Restart PingFederate.
For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on System → Server → Cluster Management.