The Recipient is associated with a Subject element from the SAML Assertion that relates to the user or subject to be authenticated, and that the item data is assigned by IdP to this particular Recipient (SP), which may be validated.
Themed data, such as the NameID format, the value (uniquely identifies the user or object between IdP and SP), this NameID value in that marker format (for example, the carrier token), which is the receipt and validity of the token. Typically, the receipt will be the endpoint of the SP at which the statement is received.
... <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="aaf23196-1773-2113-474a-fe114412ab72" Recipient="https://sp.example.com/SAML2/SSO/POST" NotOnOrAfter="2004-12-05T09:27:05"/> </saml:SubjectConfirmation> </saml:Subject> ...
The audience is associated with the Condition element from the SAML Assertion and reports, in accordance with the conditions or security context, the statement is valid and contains some conditions and conditions related to such reliability (for example, the temporal reliability of the statement that this statement can use, etc.) . Typically, the Audience will be EntityID SP.
... <saml:Conditions NotBefore="2004-12-05T09:17:05" NotOnOrAfter="2004-12-05T09:27:05"> <saml:AudienceRestriction> <saml:Audience>https://sp.example.com/SAML2</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> ...
The audience and receipt are layouts for a specific purpose in SAML Assertion and cannot be blindly accepted that they will all have the same SP URL as its value. In addition, it depends on the implementation of IdP, and IdP and SP to determine which values will be used in the Audience and Receipt elements of the SAML Assertion.
Zeigeist
source share