Seems legitimate to me. In fact, initial versions of the draft sought to
simplify things by restricting the audience restriction and subject
confirmation to single elements but was expanded to allow for this kind of
scenario.
In my (somewhat limited) experience, however, support in SAML products f
Hi Pedro ... for what it's worth I am looking at something almost the same,
except using JWT with OIDC.
1. OIDC client (web app) requests an id_token from OIDC provider,
including a request object specifying that the audience of the JWT id_token
should include both the client_id and the
