Multiple Audiences in AudienceRestrictions not working

HermanTheunissen · April 29, 2024, 6:33pm

We have a client that is trying to SSO into our system but they are being blocked by the AudienceRestriction.

We checked the logs to ensure they are passing the correct Audience value but it seems they incorrectly passed it, and after consultation they added the additional Audience value seeing as they cannot remove the first Audience value.

They are still experiencing the issue and we do not wish to turn off AudienceRestriction.

Here is their SAML AudienceRestriction XML part they are passing to us:

<saml:Conditions NotBefore="2024-04-29T14:38:58.7081886Z" NotOnOrAfter="2024-04-29T15:38:58.7081886Z">
    <saml:AudienceRestriction>
        <saml:Audience>https://clienturl../_webservices/sso/SAML2/Service.aspx</saml:Audience>
        <saml:Audience>urn:xxxx:yyyy:serviceprovider</saml:Audience>
    </saml:AudienceRestriction>
</saml:Conditions>

From the above, the second audience value is the correct one. We looked at the code for ComponentSpace and it looks like it should have worked but not sure why its failing.

ComponentSpace · April 29, 2024, 8:28pm

We support multiple audiences specified in one or more audience restriction conditions. We perform a case-insensitive comparison of these audiences with the local service provider name and expect of the the audiences to match.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

Thanks.