search

zendesk / samlr

Clean room implementation of SAML for Ruby
Apache License 2.0
30 stars 12 forks source link

support multiple audience conditions #20

Closed kintner closed 8 years ago

kintner commented 8 years ago

@zendesk/secdev @grosser

Currently we only check the the first <AudienceRestriction> node and the first <Audience> child when applying the audience restriction. This adds supports for multiple <Audience> nodes under a single <AudienceRestriction> parent.

SAML Spec:

2.5.1.4 Elements <AudienceRestriction> and <Audience>

The element specifies that the assertion is addressed to one or more specific audiences identified by elements. Although a SAML relying party that is outside the audiences specified is capable of drawing conclusions from an assertion, the SAML asserting party explicitly makes no representation as to accuracy or trustworthiness to such a party. It contains the following element:

<Audience>

A URI reference that identifies an intended audience. The URI reference MAY identify a document that describes the terms and conditions of audience membership. It MAY also contain the unique identifier URI from a SAML name identifier that describes a system entity (see Section 8.3.6).

The audience restriction condition evaluates to Valid if and only if the SAML relying party is a member of one or more of the audiences specified.

grosser commented 8 years ago

šŸ‘

jespr commented 8 years ago

šŸ‘