SP: Assertion contains an unacceptable AudienceRestriction

Scott Gerlach sgerlach at gmail.com
Thu Aug 13 12:25:42 EDT 2015 

I am also having issues with the AudienceRestriction and have read through
this thread (
http://shibboleth.net/pipermail/users/2012-September/005975.html)  and and
still having issues.


Apache Config
<VirtualHost *:443>
 ServerName myserver.com
 ProxyRequests Off
 UseCanonicalName On
 UseCanonicalPhysicalPort On
 SSLEngine on
 SSLProtocol ALL -SSLv2
 SSLCertificateFile /etc/pki/tls/certs/myserver.crt
 SSLCertificateKeyFile /etc/pki/tls/private/myserver.key
 ShibCompatValidUser On

 <Location /Shibboleth.sso>
   AuthType None
   Require all granted
 </Location>

 <IfModule mod_alias.c>
   <Location /shibboleth-sp>
     AuthType None
     Require all granted
   </Location>
   Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
 </IfModule>
 <Location /Shibboleth.sso>
   SetHandler shib
 </Location>
 <Location />
    AuthType shibboleth
    Require shib-session
    ShibBasicHijack on
    ShibRequestSetting requireSession 1
    ShibRequestSetting applicationId default
    Require valid-user
 </Location>

Changed sections of shibboleth.xml
 <ApplicationDefaults entityID="https://myserver.com/"
                         REMOTE_USER="eppn persistent-id targeted-id">
 <SSO entityID="http://www.okta.com/oktaid123454">
              SAML2 SAML1
 </SSO>

Okta Side
SSO URL: https://myserver.com/Shibboleth.sso/SAML2/POST
Audience URI: https://myserver.com/

Everytime I access myserver.com I get redirected to the idP (Okta) auth
happens correctly and redirects me to the SSO URL at which point the SP
errors with

opensaml::FatalProfileException at (
https://myserver.com/Shibboleth.sso/SAML2/POST)

Assertion contains an unacceptable AudienceRestriction.

and the native.log contains

2015-08-13 09:08:51 ERROR Shibboleth.Listener [28218] shib_check_user:
remoted message returned an error: Assertion contains an unacceptable
AudienceRestriction.

2015-08-13 09:08:51 ERROR Shibboleth.Apache [28218] shib_check_user:
Assertion contains an unacceptable AudienceRestriction.
Any advice on where I messed this up / how to fix?


Thanks
-Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150813/e1b67bf8/attachment.html>

More information about the users mailing list