Assertion rejected - AudienceRestriction contained only audiences that did not match SPID
Article ID: 379456
Updated On:
Products
Issue/Introduction
SiteMinder is Service Provider.
3rd party IDP sent SAMLResponse but SiteMinder is rejecting the SAMLResponse with following error.
| [10/11/2024][14:18:31][140133575685696][][SmAuthSaml.cpp:1345][][][][][][LogMessage:ERROR:[sm-log-00000] SmAuthenticateJNI() failed. Assertion rejected (_e805052a556a91c021952a69b3d8ad02b954) AudienceRestriction contained only audiences that did not match SPID: http://www.example.netSAML20: failed to find acceptable assertion in Response message] |
Resolution
Whole transaction in the smtracedefault.log should explain why the Assertion is being rejected relating to the Audience value.
[10/11/2024][14:18:31][140133575685696][307603ea-d02acdd7-222a84b0-36780095-8349dc79-64][Saml2Validator.java][checkAssertion][][][][][Audience found in assertion: https://www.example.net][10/11/2024][14:18:31][140133575685696][307603ea-d02acdd7-222a84b0-36780095-8349dc79-64][Saml2Validator.java][checkAssertion][][][][][Assertion rejected (_e805052a556a91c021952a69b3d8ad02b954) AudienceRestriction contained only audiences that did not match SPID: http://www.example.net] |
Here the received SAMLResponse has Audience value as "https://www.example.net".
In SiteMinder Federation, normally Audience is not entered and it automatically takes SPID value to be the Audience.
The SPID is "http://www.example.net" and this Policy Server will compare against this if the Audience is not explicitly specified.
As they are not exactly matched, the Assertion(SAMLResponse) gets rejected.
This can be resolved in 2 ways.
1. IDP side to update the Audience value to be "http://www.example.net" so it will match what is configured at the SP.
2. SP side to update the Audience value to be "https://www.example.net" so it will match what is configured at the IDP.
At the SP side, Audience is set at the following section. ("SSO and SLO" tab)
Feedback
