Audience validation failing when receiving a SAML Assertion

Audience validation failing when receiving a SAML Assertion

Published: 12/13/2018
 When PingFederate is acting as a SAML Service Provider, you receive a SAML Assertion from your partner that results in a "Assertion audience condition validation failed" error:

WARN  [org.sourceid.saml20.util.AudienceEvaluator] no protocol: BADVALUE when checking audience BADVALUE against https://example.net:9031
WARN  [org.sourceid.saml20.protocol.ValidateWebSsoResponse] Invalid assertion 
Assertion (_0d10fac4-6e9c-45b8-a92c-4131bd253d03) Status: INVALID
Remarks:
Assertion audience condition validation failed, expecting ENTITYID or a SAML v1.x Assertion Consumer Service URL with the same hostname as the base URL (https://example.net:9031) in all audience restriction conditions.
DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] [cross-reference-message] entityid:null subject:null


This indicates the IdP partner has an incorrect "Partner EntityID" configured and is sending it in the "Audience" field within the SAML Assertion. PingFederate is rejecting this assertion as it understands the "Audence" value to be invalid.

To resolve this issue the IdP will have to change the value it is sending to the proper expected value.

Alternately to resolve this it is possible to add a "Virtual ServerID" to the PingFederate SAML SP side connection with the value the IdP is sending as "Audience". This will allow PingFederate to expect this value and process the assertion.
Category:
Administration , Integrations , General , SAML ,