Can somebody explain what is the difference between Recipient and Audience in SAML 2.0?
I found only quite vague explanation from OneLogin here: https://support.onelogin.com/hc/en-us/articles/202673944-How-to-Use-the-OneLogin-SAML-Test-Connector:
The Recipient will tell you exactly who the SAML response is for, but the Audience will tell you, at a broader level, where the response should go. So for example, the Recipient could be Yankee Stadium, while the Audience could be New York City.
However, I am not 100% sure that it's correct. I have seen Audience be more specific than Recipient.
Recipient is associated with the Subject element of SAML Assertion, which is about the user or subject for which the authentication is performed and that Subject data is awarded by IdP to that particular Recipient (the SP), who can act on the Assertion.
Subject data such as NameID format, value (identifies the user or subject uniquely between IdP and SP), that NameID value in what token format (eg: bearer token), who is the Receipt and validity of token. Typically Receipt will the SP endpoint where the assertion is received.
...
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
Recipient="https://sp.example.com/SAML2/SSO/POST"
NotOnOrAfter="2004-12-05T09:27:05"/>
</saml:SubjectConfirmation>
</saml:Subject>
...
Audience is associated with the Condition element of SAML Assertion and that tells under which security conditions or context, the assertion is valid and provide some terms and conditions relating to such validity (like time validity of assertion, who can consume the assertion, etc). Typically, Audience will the EntityID of SP.
...
<saml:Conditions
NotBefore="2004-12-05T09:17:05"
NotOnOrAfter="2004-12-05T09:27:05">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
...
Audience and Receipt are lay-out for specific purpose within SAML Assertion and can not be blindly taken that they will all have same SP URL as its value. Also, it depends on IdP implementation and IdP and SP negotiate to come-up with what values to be used in Audience and Receipt elements of SAML Assertion.