PingFederate Server

Configuring validation for the AudienceRestriction element

You can configure validation for the AudienceRestriction value in a SAML response.

About this task

For any identity provider (IdP) connection configured with multiple virtual server IDs, the AudienceRestriction value in a SAML response must match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message.

You can disregard this validation condition on a per-connection basis.

Steps

  1. Edit the org.sourceid.saml20.util.VirtualIdentityUtil.xmlfile, located in the <pf_install>/pingfederate/server/default/data/config-store directory.

  2. Optionally, if you want to disregard the validation condition for an IdP connection, add its Partner’s Entity ID value as an entry inside the c:map element.

    Example:

    <?xml version="1.0" encoding="UTF-8"?>
    <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
        <c:map name="AllowAnyVirtualServerIdInAudience">
             <c:item name="www.example.com"/>
             <c:item name="www.example.org"/>     </c:map>
    </c:config>

    Result:

    In this example, the first entry adds the IdP connection with a Partner’s Entity ID of www.example.com to the list. This is so that PingFederate no longer returns an error if the AudienceRestriction value in a SAML response does not match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message. The second entry has the same effect for the IdP connection with a Partner’s Entity ID of www.example.org.

  3. Save your changes.

  4. Restart PingFederate.

    For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on System → Server → Cluster Management.