Check for audience

[sonnymai]

There doesn't seem to be any checks for the audience attribute. This would allow users using the same IDP to authenticate into service provider B if they had a valid token for service provider A (assuming both service providers use the same IDP).

Hopefully this logic is correct, I can add tests if this is verified.

[pdspicer]

You are correct, this check is currently missing. I would contest based on the SAML specification (saml-profiles-2.0-os, section 4.1.4.2) that the audience condition validation should REQUIRE the presence of an <Audience> element in at least one assertion where a <Subject> element with a <SubjectConfirmationData> condition is also present, and then further check that it contains the SP entityID.

[markstos]

This feature is still of interest if someone wants to pick it up.

[benjamine]

I can send a version with the suggestion above, I'm interested in getting this upstream.

[benjamine]

@markstos I opened #253 picking this up, made AudienceRestriction required when options.audience is specified, and added unit tests.

[markstos]

Closing this, as PR #253 was merged. Leave a comment there if you find any problem with it.