---
title: Configuring validation for the AudienceRestriction element
description: You can configure validation for the AudienceRestriction value in a SAML response.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_config_validat_for_audiencerestric_element
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_validat_for_audiencerestric_element.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
  result: Result:
---

# Configuring validation for the AudienceRestriction element

You can configure validation for the `AudienceRestriction` value in a SAML response.

## About this task

For any identity provider (IdP) connection configured with multiple virtual server IDs, the `AudienceRestriction` value in a SAML response must match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message.

You can disregard this validation condition on a per-connection basis.

## Steps

1. Edit the `org.sourceid.saml20.util.VirtualIdentityUtil.xml`file, located in the `<pf_install>/pingfederate/server/default/data/config-store` directory.

2. Optionally, if you want to disregard the validation condition for an IdP connection, add its **Partner's Entity ID** value as an entry inside the `c:map` element.

   ### Example:

   ```xml
   <?xml version="1.0" encoding="UTF-8"?>
   <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
       <c:map name="AllowAnyVirtualServerIdInAudience">
            <c:item name="www.example.com"/>
            <c:item name="www.example.org"/>     </c:map>
   </c:config>
   ```

   ### Result:

   In this example, the first entry adds the IdP connection with a **Partner's Entity ID** of `www.example.com` to the list. This is so that PingFederate no longer returns an error if the `AudienceRestriction` value in a SAML response does not match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message. The second entry has the same effect for the IdP connection with a **Partner's Entity ID** of `www.example.org`.

3. Save your changes.

4. Restart PingFederate.

   For a clustered PingFederate environment, perform these steps on the console node, and then click **Replicate Configuration** on **System > Server > Cluster Management**.