26

We have an ASP.NET application using WIF. Our web.config file has a section like this:

<audienceUris>
    <add value="https://someapp.mycompany.com/App/" />
</audienceUris>
<federatedAuthentication>
    <wsFederation passiveRedirectEnabled="true" issuer="https://adfs.mycompany.com/adfs/ls/" realm="https://someapp.mycompany.com/App/" requireHttps="true" />
    <cookieHandler requireSsl="false" />
</federatedAuthentication>

Every example I see both the audienceUris and realm are the same value. What is the difference between these two? Do we need them both?

Simon East
  • 55,742
  • 17
  • 139
  • 133
Bryan
  • 2,775
  • 3
  • 28
  • 40

1 Answers1

36

The realm is the unique identifier of the application -- the identity that's sent to the STS when logging in. However, the audienceUris element is used to limit from what applications the token will be accepted.

For example, a user could sign-on and receive their token from a different relying party and then navigate to your application. If that application's realm is listed in the audienceUris, the token will be accepted and they can access the site (assuming that the application can also read the cookie).

If you think of a token as a passport, it's like saying that Great Britain will let in people with a US or British passport.

In answer to your question, you should include them both, but they can be the same.

Garrett Vlieger
  • 9,354
  • 4
  • 32
  • 44
  • Thanks, that does help. One of the reasons for asking this question was that we were wondering if/how it is possible to connect directly to a server in a farm. So, in the application is in a farm, then the audienceUris and realm would be the URL of the farm. But what if we wanted to connected directly to one of the machines in the farm? Is that possible? – Bryan Aug 02 '12 at 15:29
  • 2
    The realm isn't really the URL. It's simply an identifier. It could be https://www.iloveadfsandidontcare.com or any URI, as long as it's unique to your STS. The actual URL of the endpoint is defined in AD FS, and that defines where the sign-in response is sent. So if you wanted to go directly to a specific URL in the farm, you would configure that in AD FS. – Garrett Vlieger Aug 02 '12 at 16:23
  • If I change the realm in my web.config to that URI you have and I keep the audienceUris the same (the actual URL of my app), I get an error saying the two have to match. (AudienceUriValidationFailedException: ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris.) So it looks like they are both needed and they both have to be the same. – Bryan Aug 03 '12 at 14:39
  • 2
    Right, your realm has to be in the audience list (doesn't make sense to exclude your own relying party), but the list can also include others. – Garrett Vlieger Aug 03 '12 at 15:16
  • I have localhost/ApplicationA and localhost/ApplicationB projects. Then is it possible for me to add both url in the audienceUris...? I have my realm as localhost/ApplicationA.... this is my post: http://stackoverflow.com/q/17739147/1343516 – felix Antony Jul 19 '13 at 09:08