Configuring validation for the AudienceRestriction element - PingFederate - 11.2

PingFederate Server

bundle
pingfederate-112
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.2
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-112
pingfederate
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

You can configure validation for the AudienceRestriction value in a SAML response.

For any identity provider (IdP) connection configured with multiple virtual server IDs, the AudienceRestriction value in a SAML response must match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message.

You can disregard this validation condition on a per-connection basis.

  1. Edit the org.sourceid.saml20.util.VirtualIdentityUtil.xmlfile, located in the <pf_install>/pingfederate/server/default/data/config-store directory.
  2. Optionally, if you want to disregard the validation condition for an IdP connection, add its Partner's Entity ID value as an entry inside the c:map element.
    <?xml version="1.0" encoding="UTF-8"?>
    <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
        <c:map name="AllowAnyVirtualServerIdInAudience">
            <c:item name="www.example.com"/>
            <c:item name="www.example.org"/>
        </c:map>
    </c:config>

    In this example, the first entry adds the IdP connection with a Partner's Entity ID of www.example.com to the list. This is so that PingFederate no longer returns an error if the AudienceRestriction value in a SAML response does not match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message. The second entry has the same effect for the IdP connection with a Partner's Entity ID of www.example.org.

  3. Save your changes.
  4. Restart PingFederate.

    For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on System > Server > Cluster Management. You do not have to restart PingFederate on any running engine node.