EDR: SAML Logins Failing: AudienceRestrictions conditions not satisfied!
search cancel

EDR: SAML Logins Failing: AudienceRestrictions conditions not satisfied!


Article ID: 284958


Updated On:


Carbon Black Hosted EDR (formerly Cb Response Cloud)


  • Login is met with 403 when authenticating through 3rd party IDP
  • /var/log/cb/coreservices/debug.log shows the following exception:
2021-03-22 13:30:44 [61518] <err>  cb.flask.blueprints.api_routes_saml - SSO assertion auth failure
Traceback (most recent call last):
  File "/usr/share/cb/virtualenv/lib/python3.8/site-packages/cb/flask/blueprints/api_routes_saml.py", line 558, in saml_assertion
  File "/usr/share/cb/virtualenv/lib/python3.8/site-packages/cb/flask/blueprints/api_routes_saml.py", line 193, in handle_assertion
  File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/saml2/client_base.py", line 811, in parse_authn_request_response
    resp = self._parse_response(
  File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/saml2/entity.py", line 1507, in _parse_response
  File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/saml2/response.py", line 1045, in verify
    if self.parse_assertion(keys):
  File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/saml2/response.py", line 931, in parse_assertion
    if not self._assertion(assertion, False):
  File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/saml2/response.py", line 811, in _assertion
    if not self.condition_ok():
  File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/saml2/response.py", line 603, in condition_ok
    raise Exception("AudienceRestrictions conditions not satisfied! (Local entity_id=%s)" % self.entity_id)
Exception: AudienceRestrictions conditions not satisfied! (Local entity_id=<instance name pulled from sso.conf>)
2021-04-14 19:40:29 [184255] <debug> saml2.response - AudienceRestriction - One condition not satisfied: https://<hostname/IP>:8443 != https://<hostname/ IP>


  • EDR Server: 7.4.2+


  • Update between ~7.4.1 and 7.4.2 EDR Server version included upgrading pysaml2 which may require a more explicit form of the AudienceRestrictions URI that matches the /etc/cb/sso/sso.conf files 'entityid' parameter.


  • Update the Audience URI (also observed as 'Audience' on some IDP/SAML Providers) on the IDP/SAML side to be explicitly what's shown in the for the 'entityid' in the /etc/cb/sso/sso.conf file
  • Attempt SAML login again.
  • If the issue is still present, please contact VMWare Carbon Black Support.