Hi,
Getting this error using ADFS (idp) to AssertionConsumerService.aspx (sp)
“The audience restriction XXX doesn’t match the expected audience restriction urn:componentspace:SentryIdentityProvider.”
But when I set
DisableAudienceRestrictionCheck=“true”
in the ‘PartnerIdentityProvider’ section in SAML.config (sp) it works fine.
What I the common cause for this issue I would like to set DisableAudienceRestrictionCheck back to FALSE.
Some additional info:
- Using SHA-1 going to be switching to 2 shortly (not sure if this wont be an error).
- We are using ASP NET 4.0 version of the ComponentSpace DLL (our application is also .NET 4)
- Please help.
Thanks,
Adam
Hi Adam
The SAML assertion may include an audience restriction condition. What this means is that the SAML assertion should only be used by the intended audience.
The intended audience is identified by the service provider’s name.
The service provider’s name is the Name value from your saml.config.
If the audience value in the SAML assertion doesn’t match the service provider’s name, you’ll get the exception you are seeing.
Generally this means there’s a configuration mismatch.
Ensure the partner identity provider has the correct name for your service provider.
[quote][/quote]
Hi Adam
The SAML assertion may include an audience restriction condition. What this means is that the SAML assertion should only be used by the intended audience.
The intended audience is identified by the service provider's name.
The service provider's name is the Name value from your saml.config.
If the audience value in the SAML assertion doesn't match the service provider's name, you'll get the exception you are seeing.
Generally this means there's a configuration mismatch.
Ensure the partner identity provider has the correct name for your service provider.
The SAML assertion may include an audience restriction condition. What this means is that the SAML assertion should only be used by the intended audience.
The intended audience is identified by the service provider's name.
The service provider's name is the Name value from your saml.config.
If the audience value in the SAML assertion doesn't match the service provider's name, you'll get the exception you are seeing.
Generally this means there's a configuration mismatch.
Ensure the partner identity provider has the correct name for your service provider.
So the Idp (client) ADFS needs the same name that I have in my SAML.config file in the section correct?
Can the name in the section be anything or does it need to start with "urn:"?
Thanks for the quick reply.
- Adam
That’s correct.
ADFS refers to this as the relying party’s trust identifier. It’s found under the Identifiers tab of the relying party’s properties in the ADFS console.
Strictly speaking, as per the SAMl specification, the name should be a URI which means either a URN or URL.
We now recommend using a URL as some SAML offerings don’t support URNs.
The URL must uniquely identify your service provider. It doesn’t have to point to a web resource, although it can if you like.
For example, it could be the home page of your web application.