An authorization server like PingFederate might set an audience field on the access tokens that it issues, naming one or more services that are allowed to accept the access token. A REST service can use the audience field to ensure that it does not accept access tokens that are intended for use with a different service.

As with the Permitted Clients policy, each rule in the Permitted Audiences policy defines an acceptable audience value.

  1. Go to Policies > Policies.
  2. Expand Global Decision Point and SCIM Policy Set.
  3. Highlight Token Policies and click +.
  4. Click Add Policy.
  5. For the name, replace Untitled with Permitted Audiences.
  6. From the Combining Algorithm list, select Unless one decision is permit, the decision will be deny.
  7. Click + Add Rule.
  8. For the name, replace Untitled with Audience:
  9. From the Effect list, select Permit.
  10. In the Condition section:
    1. Click + Comparison.
    2. From the Select an Attribute list, select HttpRequest.AccessToken.audience.
    3. From the middle, comparison-type list, select Equals.
    4. In the C field, enter
  11. Expand + Advice and Obligations.
  12. Click the Components tab, expand Advice, and drag Unauthorized Audience to the Advice and Obligations box.

    Do not click Show Advice and Obligations within the "Audience:" rule.

  13. Click Save changes.
The final configuration should resemble the following image.

A screen capture of the Permitted Audiences policy configuration window