Disable Audience Claim Validation
The claims to validate in the ID token containing the end user’s session:
-
0
: Validate theaud
andnonce
claim. -
1
: Validate thenonce
claim; don’t validate theaud
claim.
During an authentication request, AM creates an ID token that contains, among others, the end user’s session, and the aud
claim. The aud
claim is set to the agent profile of the agent that made the request. When AM returns the ID token to the end user’s user-agent, it appends a nonce
parameter to the request, which is a one-time-usable random string that is understood by both AM and the agent that made the authentication request.
When the agent receives a request to access a protected resource, the agent checks that the audience (the aud
claim) of the ID token and the value of the nonce
are appropriate. For example, it checks that the value of the aud
claim is the name of its own agent profile.
In environments where several agents protect the same application, this validation poses a problem; even if the ID token is valid and contains a valid session, an agent cannot validate a ID token created for a different agent because the audience would not match. Therefore, the agent redirects the end user to authenticate again.
For security reasons, agents should validate as many claims in the ID token as possible. |
Default: 0
Property name |
|
Type |
Integer |
Bootstrap property |
No |
Required property |
No |
Restart required |
No |
AM console |
Tab: Title: |