IdP initiated SSO

Mike Flynn shibbolethlynda at
Thu Feb 7 15:43:16 EST 2013

OK, I used this example for the IDp:

<ConditionsNotBefore="2007-02-07T20:22:58.162Z"NotOnOrAfter="2007-02-07T20:24:58.162Z"><AudienceRestrictionCondition><Audience></Audience> </AudienceRestrictionCondition></Conditions>
The Idp tried both of these:
<saml:Conditions NotBefore="2013-02-07T19:51:27Z" NotOnOrAfter="2013-02-07T19:57:27Z">
<saml:Conditions NotBefore="2013-02-07T19:46:48Z" NotOnOrAfter="2013-02-07T19:52:48Z">

And gets this error with either one:

xmltooling::UnmarshallingException at (
Invalid child element: AudienceRestriction

 From: "Cantor, Scott" <cantor.2 at>
To: Shib Users <users at> 
Sent: Thursday, February 7, 2013 11:40 AM
Subject: RE: IdP initiated SSO
> OK I dug up the setting in the Wiki, re-tested and we get this error:

Cool, or not so cool I suppose, that really should be getting logged. Sigh.

> AudienceRestriction must have at least one Audience

There's your bug then.

> Googling around with that, I assume the entityID for the request as the value
> for this should work, correct?

Yes, that's set to the entityID of your SP.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list