Martyn Houghton Posted February 19, 2018 Share Posted February 19, 2018 I have noticed that a new switch has appears since I last checked our SSO profile settings (some time ago) with the title of Validate Audience, which appears to be disabled by default. I could not find a reference to it in the wiki, so can someone explain what this does? Cheers Martyn Link to comment Share on other sites More sharing options...
Victor Posted February 26, 2018 Share Posted February 26, 2018 @Martyn Houghton It is a validity condition for an assertion. In particular, it declares that the assertion's semantics are only valid for the relying party named by URI in that element. The purpose is to restrict the conditions under which the assertion is valid and to optionally provide terms and conditions relating to such validity. So the semantics of the element has to do with the scope and conditions of the trust relationships. As one of the user's replies to this discussion on stackexchange "you can see this as one (of many) ways of reducing replay-attacks. You cannot capture a SAML-assertion valid in one context and reuse it in another context." Link to comment Share on other sites More sharing options...
Guest Paul Alexander Posted February 27, 2018 Share Posted February 27, 2018 Hi Can anyone tell me what this does in non-techy-speak please? Does it have any effect on whether people can access the portal? thanks Link to comment Share on other sites More sharing options...
Victor Posted February 27, 2018 Share Posted February 27, 2018 3 minutes ago, Paul Alexander said: Can anyone tell me what this does in non-techy-speak please? Does it have any effect on whether people can access the portal? Mmmm... not sure how I would explain it non-technical as it is a very technical topic... but no, it does not affect how authentication takes place (no effect on whether people can access the portal) as long as both your ADFS (the identity provider) and Hornbill (the service provider) are configured correctly. The ADFS configuration is something covered by your technical admin team.The Hornbill configuration (basically enabling or disabling this security option) can be done once the ADFS configuration is complete. Link to comment Share on other sites More sharing options...
Guest Paul Alexander Posted February 27, 2018 Share Posted February 27, 2018 So...should I be worried about the 'message' saying that our SSO config is not secure? Link to comment Share on other sites More sharing options...
Victor Posted February 27, 2018 Share Posted February 27, 2018 @Paul Alexander that message is a generic message that shows up whenever you choose to disable one or more of the security options in Hornbill SSO configuration. It does not necessarily mean it is not secure, what it actually means is that is less secure than it could potentially be... Link to comment Share on other sites More sharing options...
Martyn Houghton Posted February 28, 2018 Author Share Posted February 28, 2018 @Victor, @Paul Alexander Thanks. I think I will enable when I have the SSO Admin Tool bypass to hand in case we have an issue after advising. Cheers Martyn Link to comment Share on other sites More sharing options...
nasimg Posted March 22, 2018 Share Posted March 22, 2018 @Martyn Houghton, @Victor We only noticed this today - Martyn did you make the change (we are planning something similar using the admin bypass url) just wanted to know whether it was as simple as just enabling. Or did you need your infrastructure staff to amend the certificate. On a separate note I think this sort of change should be highlighted better to all SSO users - seems most of us were unaware. We tend to check this area when we are updating the certificates (once a year). Nasim Link to comment Share on other sites More sharing options...
Victor Posted March 22, 2018 Share Posted March 22, 2018 @nasimg it was mentioned in the platform release notes... apologies if this was not detailed enough On 21/11/2017 at 4:24 PM, Harry Hornbill said: Implemented an option to control the Audience Condition check on the SAML Assertion Validator https://community.hornbill.com/topic/11687-new-update-hornbill-esp-2856/ 6 minutes ago, nasimg said: Or did you need your infrastructure staff to amend the certificate. Mmm... not quite sure what audience validation has to do with certificates? Link to comment Share on other sites More sharing options...
nasimg Posted March 22, 2018 Share Posted March 22, 2018 @victor Thanks for the Nov 2017 link, but still not obvious that this setting was there. Martyn didn't see it till Feb 2018, and we didn't see it till now - better if it mentioned SSO profile (IMO). You should also update your wiki https://wiki.hornbill.com/index.php/Single_Sign_On_Profiles, still has the "classic" settings (doesn't show the new Audience option) Nasim Link to comment Share on other sites More sharing options...
Victor Posted March 22, 2018 Share Posted March 22, 2018 @nasimg yes, I understand what you meant, that's why I agreed we should have made it more obvious or explaining it better... and wiki needs an update in several places (sigh), I'll put that on my list. EDIT: I am still not sure why you asking if your infrastructure needs to amend certificates in relation to audience validation... Link to comment Share on other sites More sharing options...
nasimg Posted March 22, 2018 Share Posted March 22, 2018 LOL - I'm in a bad mood....as I don't have a clue what the option does, if I enabled it (as it is saying we are not secure) would I stop customers logging on. Nasim Link to comment Share on other sites More sharing options...
Victor Posted March 22, 2018 Share Posted March 22, 2018 @nasimg is just an added security measure and it does not affect customers logging in as long as both parties (Hornbill and IdP - e.g. ADFS) are configured for audience validation... but that would be something for your admins to consider... Link to comment Share on other sites More sharing options...
Martyn Houghton Posted March 23, 2018 Author Share Posted March 23, 2018 @nasimg I enabled it, whilst having the admin bypass URL and password to hand just incase. We have been running with it on since beginning of March without issue. Cheers Martyn Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now