Disable Audience Claim Validation
The claims to validate in the ID token containing the end user’s session:
-
0: Validate theaudandnonceclaim. -
1: Validate thenonceclaim; don’t validate theaudclaim.
During an authentication request, AM creates an ID token that contains, among others, the end user’s session, and the aud claim. The aud claim is set to the agent profile of the agent that made the request. When AM returns the ID token to the end user’s user-agent, it appends a nonce parameter to the request, which is a one-time-usable random string that is understood by both AM and the agent that made the authentication request.
When the agent receives a request to access a protected resource, the agent checks that the audience (the aud claim) of the ID token and the value of the nonce are appropriate. For example, it checks that the value of the aud claim is the name of its own agent profile.
In environments where several agents protect the same application, this validation poses a problem; even if the ID token is valid and contains a valid session, an agent cannot validate a ID token created for a different agent because the audience would not match. Therefore, the agent redirects the end user to authenticate again.
| For security reasons, agents should validate as many claims in the ID token as possible. |
Default: 0
Property name |
|
Function |
Profile |
Type |
Integer |
Bootstrap property |
No |
Required property |
No |
Restart required |
No |
AM console |
Tab: Title: |