Jump to content

SSO Profile - Validate Audience option


Martyn Houghton
 Share

Recommended Posts

I have noticed that a new switch has appears since I last checked our SSO profile settings (some time ago) with the title of  Validate Audience, which appears to be disabled by default.

image.thumb.png.5bafe47e79949189b484ba4959c9f5a4.png

I could not find a reference to it in the wiki, so can someone explain what this does?

Cheers

Martyn

Link to comment
Share on other sites

@Martyn Houghton It is a validity condition for an assertion. In particular, it declares that the assertion's semantics are only valid for the relying party named by URI in that element. The purpose is to restrict the conditions under which the assertion is valid and to optionally provide terms and conditions relating to such validity. So the semantics of the element has to do with the scope and conditions of the trust relationships.

As one of the user's replies to this discussion on stackexchange "you can see this as one (of many) ways of reducing replay-attacks. You cannot capture a SAML-assertion valid in one context and reuse it in another context."

Link to comment
Share on other sites

3 minutes ago, Paul Alexander said:

Can anyone tell me what this does in non-techy-speak please? Does it have any effect on whether people can access the portal?

Mmmm... not sure how I would explain it non-technical as it is a very technical topic... but no, it does not affect how authentication takes place (no effect on whether people can access the portal) as long as both your ADFS (the identity provider) and Hornbill (the service provider) are configured correctly. 

The ADFS configuration is something covered by your technical admin team.The Hornbill configuration (basically enabling or disabling this security option) can be done once the ADFS configuration is complete.

Link to comment
Share on other sites

  • 4 weeks later...

@Martyn Houghton, @Victor

We only noticed this today - Martyn did you make the change (we are planning something similar using the admin bypass url) just wanted to know whether it was as simple as just enabling. Or did you need your infrastructure staff to amend the certificate.

On a separate note I think this sort of change should be highlighted better to all SSO users - seems most of us were unaware. We tend to check this area when we are updating the certificates (once a year).

Nasim

Link to comment
Share on other sites

@nasimg it was mentioned in the platform release notes... apologies if this was not detailed enough :( 

On 21/11/2017 at 4:24 PM, Harry Hornbill said:

Implemented an option to control the Audience Condition check on the SAML Assertion Validator

https://community.hornbill.com/topic/11687-new-update-hornbill-esp-2856/

6 minutes ago, nasimg said:

Or did you need your infrastructure staff to amend the certificate.

Mmm... not quite sure what audience validation has to do with certificates?

Link to comment
Share on other sites

@victor

Thanks for the Nov 2017 link, but still not obvious that this setting was there. Martyn didn't see it till Feb 2018, and we didn't see it till now - better if it mentioned SSO profile (IMO).

You should also update your wiki https://wiki.hornbill.com/index.php/Single_Sign_On_Profiles, still has the "classic" settings (doesn't show the new Audience option) ;)

Nasim

Link to comment
Share on other sites

@nasimg yes, I understand what you meant, that's why I agreed we should have made it more obvious or explaining it better... and wiki needs an update in several places (sigh), I'll put that on my list.

EDIT: I am still not sure why you asking if your infrastructure needs to amend certificates in relation to audience validation...

Link to comment
Share on other sites

LOL - I'm in a bad mood....as I don't have a clue what the option does, if I enabled it (as it is saying we are not secure) would I stop customers logging on.

Nasim

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...