Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using WIF, what is the difference between audienceUris and realm?

Tags:

wif

adfs2.0

adfs

We have an ASP.NET application using WIF. Our web.config file has a section like this:

<audienceUris>     <add value="https://someapp.mycompany.com/App/" /> </audienceUris> <federatedAuthentication>     <wsFederation passiveRedirectEnabled="true" issuer="https://adfs.mycompany.com/adfs/ls/" realm="https://someapp.mycompany.com/App/" requireHttps="true" />     <cookieHandler requireSsl="false" /> </federatedAuthentication> 

Every example I see both the audienceUris and realm are the same value. What is the difference between these two? Do we need them both?

like image 551
Bryan Avatar asked Aug 02 '12 13:08

Bryan


1 Answers

The realm is the unique identifier of the application -- the identity that's sent to the STS when logging in. However, the audienceUris element is used to limit from what applications the token will be accepted.

For example, a user could sign-on and receive their token from a different relying party and then navigate to your application. If that application's realm is listed in the audienceUris, the token will be accepted and they can access the site (assuming that the application can also read the cookie).

If you think of a token as a passport, it's like saying that Great Britain will let in people with a US or British passport.

In answer to your question, you should include them both, but they can be the same.

like image 81
Garrett Vlieger Avatar answered Sep 26 '22 01:09

Garrett Vlieger