SSO Profile - Validate Audience option

[Martyn Houghton]

I have noticed that a new switch has appears since I last checked our SSO profile settings (some time ago) with the title of  Validate Audience, which appears to be disabled by default.

I could not find a reference to it in the wiki, so can someone explain what this does?

Cheers

Martyn

[Victor]

@Martyn Houghton It is a validity condition for an assertion. In particular, it declares that the assertion's semantics are only valid for the relying party named by URI in that element. The purpose is to restrict the conditions under which the assertion is valid and to optionally provide terms and conditions relating to such validity. So the semantics of the element has to do with the scope and conditions of the trust relationships.

As one of the user's replies to this discussion on stackexchange "you can see this as one (of many) ways of reducing replay-attacks. You cannot capture a SAML-assertion valid in one context and reuse it in another context."

[Guest Paul Alexander]

Hi

Can anyone tell me what this does in non-techy-speak please? Does it have any effect on whether people can access the portal?

 

thanks

 

[Victor]

3 minutes ago, Paul Alexander said:

Can anyone tell me what this does in non-techy-speak please? Does it have any effect on whether people can access the portal?

Mmmm... not sure how I would explain it non-technical as it is a very technical topic... but no, it does not affect how authentication takes place (no effect on whether people can access the portal) as long as both your ADFS (the identity provider) and Hornbill (the service provider) are configured correctly. 

The ADFS configuration is something covered by your technical admin team.The Hornbill configuration (basically enabling or disabling this security option) can be done once the ADFS configuration is complete.

[Guest Paul Alexander]

So...should I be worried about the 'message' saying that our SSO config is not secure?

[Victor]

@Paul Alexander that message is a generic message that shows up whenever you choose to disable one or more of the security options in Hornbill SSO configuration. It does not necessarily mean it is not secure, what it actually means is that is less secure than it could potentially be...

[Martyn Houghton]

@Victor, @Paul Alexander

Thanks. I think I will enable when I have the SSO Admin Tool bypass to hand in case we have an issue after advising.

Cheers

Martyn

[nasimg]

@Martyn Houghton, @Victor

We only noticed this today - Martyn did you make the change (we are planning something similar using the admin bypass url) just wanted to know whether it was as simple as just enabling. Or did you need your infrastructure staff to amend the certificate.

On a separate note I think this sort of change should be highlighted better to all SSO users - seems most of us were unaware. We tend to check this area when we are updating the certificates (once a year).

Nasim

[Victor]

@nasimg it was mentioned in the platform release notes... apologies if this was not detailed enough  

On 21/11/2017 at 4:24 PM, Harry Hornbill said:

Implemented an option to control the Audience Condition check on the SAML Assertion Validator

https://community.hornbill.com/topic/11687-new-update-hornbill-esp-2856/

6 minutes ago, nasimg said:

Or did you need your infrastructure staff to amend the certificate.

Mmm... not quite sure what audience validation has to do with certificates?

[nasimg]

@victor

Thanks for the Nov 2017 link, but still not obvious that this setting was there. Martyn didn't see it till Feb 2018, and we didn't see it till now - better if it mentioned SSO profile (IMO).

You should also update your wiki https://wiki.hornbill.com/index.php/Single_Sign_On_Profiles, still has the "classic" settings (doesn't show the new Audience option)

Nasim

[Victor]

@nasimg yes, I understand what you meant, that's why I agreed we should have made it more obvious or explaining it better... and wiki needs an update in several places (sigh), I'll put that on my list.

EDIT: I am still not sure why you asking if your infrastructure needs to amend certificates in relation to audience validation...

[nasimg]

LOL - I'm in a bad mood....as I don't have a clue what the option does, if I enabled it (as it is saying we are not secure) would I stop customers logging on.

Nasim

[Victor]

@nasimg is just an added security measure and it does not affect customers logging in as long as both parties (Hornbill and IdP - e.g. ADFS) are configured for audience validation... but that would be something for your admins to consider...

[Martyn Houghton]

@nasimg

I enabled it, whilst having the admin bypass URL and password to hand just incase. We have been running with it on since beginning of March without issue.

Cheers

Martyn