Keeping multiple Audience in same SAML AudienceRestriction tag

Article Id: 127754

Status: Published

Updated On: 02-06-2019 14:44

Products:

CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On SOA Security Manager (SiteMinder) , CA Single Sign-On , CA Single Sign-On

Issue/Introduction:

We are looking to Keep multiple Audience in same SAML AudienceRestriction tag, but are not able to achieve that result in the assertion.

Currently we are getting it as below.

<ns2:Conditions NotBefore="***" NotOnOrAfter="***">
<ns2:AudienceRestriction>
<ns2:Audience>abc</ns2:Audience>
</ns2:AudienceRestriction>
<ns2:AudienceRestriction>
<ns2:Audience>abcd</ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>

But we require as below.

<ns2:Conditions NotBefore="***" NotOnOrAfter="***">
<ns2:AudienceRestriction>
<ns2:Audience>abc</ns2:Audience>
<ns2:Audience>abcd</ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>

Environment:

Policy Server and Federation version: R12.52SP1
Federation Partnership

Resolution:

Policy Server will include both SPID and configured Audience in the assertion if SPID and Audience values are not the same.

Product is generating assertion as per the SAML specification. If one needs any modification to the product generated assertion, then s/he needs to use Assertion Generator Plugin (AGP).