Attempt to access SDM Tomcat URL via  https://company.com:443/CAisd/pdmweb.exe after setting up SDM Tomcat for SAML results in an error shown below:

com.auth10.federation.FederationException: The token applies to an untrusted audience: https://company.com/CAisd/pdmweb.exe 
at com.auth10.federation.SamlTokenValidator.validate(SamlTokenValidator.java:179)

Release: 17.4 +
Component: CA Service Desk

An ADFS Admin creates a Relying Party Trust (Enable SAML Authentication for CA SDM) for SDM with an Endpoint like https://company.com:443/CAisd/pdmweb.exe
Careful attention needs to be paid towards the presence of the port number :443 (like https://company.com:443/CAisd/pdmweb.exe) or absence of the same (like https://company.com/CAisd/pdmweb.exe) in the Endpoint defined there.
 

Check for the values in audienceuris  field of the file NX_ROOT/bopcfg/www/CATALINA_BASE/shared/resources/federation.properties

Ensure that the Endpoint definition of the Relying Party Trust from the ADFS is one of the audienceuris values in this file
If the Endpoint is value is https://company.com/CAisd/pdmweb.exe but federation.properties has https://company.com:443/CAisd/pdmweb.exe, as the URI is not a full match, the error noted above is seen:

Once https://company.com/CAisd/pdmweb.exe   is added as one of the additional audienceuris values in federation.properties, restart SDM Tomcat to resolve the issue. 

Below is a sample value with multiple values to the audienceuris to cover  :443 :8443 and the absence of :443 port for HTTPS.
federation.audienceuris=  https://company.com:8443/CAisd/pdmweb.exe|https://company.com:443/CAisd/pdmweb.exe|https://company.com/CAisd/pdmweb.exe