Using WIF, what is the difference between audienceUris and realm?

Bryan picture Bryan · Aug 2, 2012 · Viewed 14.8k times · Source

We have an ASP.NET application using WIF. Our web.config file has a section like this:

<audienceUris>
    <add value="https://someapp.mycompany.com/App/" />
</audienceUris>
<federatedAuthentication>
    <wsFederation passiveRedirectEnabled="true" issuer="https://adfs.mycompany.com/adfs/ls/" realm="https://someapp.mycompany.com/App/" requireHttps="true" />
    <cookieHandler requireSsl="false" />
</federatedAuthentication>

Every example I see both the audienceUris and realm are the same value. What is the difference between these two? Do we need them both?

Answer

Garrett Vlieger picture Garrett Vlieger · Aug 2, 2012

The realm is the unique identifier of the application -- the identity that's sent to the STS when logging in. However, the audienceUris element is used to limit from what applications the token will be accepted.

For example, a user could sign-on and receive their token from a different relying party and then navigate to your application. If that application's realm is listed in the audienceUris, the token will be accepted and they can access the site (assuming that the application can also read the cookie).

If you think of a token as a passport, it's like saying that Great Britain will let in people with a US or British passport.

In answer to your question, you should include them both, but they can be the same.