SP: Assertion contains an unacceptable AudienceRestriction
Scott Gerlach
sgerlach at gmail.com
Thu Aug 13 17:13:12 EDT 2015
>
> >I guess maybe some oddness with the XML from Okta could be involved. That
> can be subtle. Can you post the entire Response?
>
you betcha! somewhat sanitized, but full response
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://myserver.com/Shibboleth.sso/SAML2/POST
"
ID="id31009012803127171573256615"
InResponseTo="_82f54b67d5db3a8a27d37ce4c86ab246"
IssueInstant="2015-08-13T17:47:13.156Z"
Version="2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>http://www.okta.com/oktaid123454</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id31009012803127171573256615">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>CNfvV04BeIx6gHgo0eQN8eGGfn6XZrOdCiHGQ/5Pdnc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>IjQ8o4jqWfm2V5QH1dqhb42HdAcxF+Srbb+EQyiUDuzvkMMaJ3NyAhuzttqlF57piclfUgyD2CCjWM+LWRZ6WOjNNbc1j8YlBPyxAGH/1AqW5QlMptif6dtZtOPWXkMDZk/LidEq2bnxj9aJc6xFcwPH4NWjCpHh5y01roZVM2EB7+jj5bcLakmfhMXHuB8MVIMclp2M1HNcDvm94++2OvOJE7GFWnQ/sEpoHDgo5tc3uLxHZKrTdDHTcuYi+NGcVj5SvI3fCCnZ8SugdoJ1F8Vj8LY7GA9TxaqIIKfcM+bqbvULISkjQ8lTyETxhANboSUGTJQ1CQpKC6ITjU5VbA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDnjCCAoagAwIBAgIGAUvcNiL8MA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2dvZGFkZHkxHDAaBgkqhkiG9w0BCQEWDWlu
Zm9Ab2t0YS5jb20wHhcNMTUwMzAyMjAzNzMwWhcNNDUwMzAyMjAzODMwWjCBjzELMAkGA1UEBhMC
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM
BE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdnb2RhZGR5MRwwGgYJKoZIhvcN
AQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnZaAyoAQ
2i2quLuvQZ1qRifw0yr3tlC7JMPqX1flkHKEfchk8rpjKNQSftmSPQKRf6NYQbJqiwh/s1vA3j1P
11/GAyXW9Yt3h2+U2zIWFJi2J7p1I9jIlGNpEw4i5lCT1NVFZ2/roT5Lj0CJnYmD2Ob78o5/2iyp
I0q+EuYvK2+op+VIXNaprKUQvOfg/dNVv/pHIgkZrXkAf7yCfEdP6qRn5GPgg/lhidFF7Nhm1969
JVVXwWoqfHL8XnSB9qsSaFNLCWEBENmX6wIX6aP5+6OPBgYO659nvFnxdvqhMFRTwfOukNDXhsiX
4munrETtDozBVSqKCyua7Pel7qRTNQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBeyfvsbGLg5T4y
55/0LpvYq+4h4x1RPRmX/xsEIRZV5tDSK2UB7GgAi3xkmNRr2yLcawDKTCCRqosDK9j2gzVHiEtp
qMY1dSPJKdGX5qAYXif/eAYpQcoXNuhi0EWFHtXlAkONVgXd0dc8z88Yb000zFz3uJOr4X+Dyg1c
Zmx+0qqYvZuEzGH2kdt1EL+hVMTojmF1IfytPReh+ZZjgrtUGLK6s7UaFDHHAvYPLDi8xUY58Y1M
sVd14ZKv1cLCQCfE57Ccr/dEL7gqclJvTQErK9G2LhjE5s0zGlAl+h/irLfB6FdnvRj1Pn1xmnTm
BlpuVx+w9fkkzCKDqfT91qUB</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id31009012804284251001162800"
IssueInstant="2015-08-13T17:47:13.156Z"
Version="2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.okta.com/oktaid123454</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id31009012804284251001162800">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>V91b0StZzdNKByp1r7XbVtAmPhtRMoMZgEkX8Z0K4xE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>WmlUBVTWAzOZMnIdJe8P+IzRoGjSJX0ICb3glnIotDk8zbZQDrCyJDdoxUMWLNHiojdwZqEoi33g9xq1BTbnxJgzC35eC7U9kktrhVmDd1eM+hWA+uAzXAHOfXRfbQxyz4XIpiMccN6CmjdtC5JKrevBuIRHyKLjt26gSJxA7WqK+2uH7T2MqgIPwhY+FDpy2yYcxzWqg7/JbeI3PGRQrhDzLElaELwD0kkuNuJBT9Jh4yVq8Cah7V5dNd2mY3L/AwstVtjgsVeHeeMBbe0XFnrY6frnVBCdSoHv5h4yXbtDxxaHS7GR4zfuYVbhDAYCxwoaYAWNd2HIxUYKsfbeFQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDnjCCAoagAwIBAgIGAUvcNiL8MA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2dvZGFkZHkxHDAaBgkqhkiG9w0BCQEWDWlu
Zm9Ab2t0YS5jb20wHhcNMTUwMzAyMjAzNzMwWhcNNDUwMzAyMjAzODMwWjCBjzELMAkGA1UEBhMC
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM
BE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdnb2RhZGR5MRwwGgYJKoZIhvcN
AQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnZaAyoAQ
2i2quLuvQZ1qRifw0yr3tlC7JMPqX1flkHKEfchk8rpjKNQSftmSPQKRf6NYQbJqiwh/s1vA3j1P
11/GAyXW9Yt3h2+U2zIWFJi2J7p1I9jIlGNpEw4i5lCT1NVFZ2/roT5Lj0CJnYmD2Ob78o5/2iyp
I0q+EuYvK2+op+VIXNaprKUQvOfg/dNVv/pHIgkZrXkAf7yCfEdP6qRn5GPgg/lhidFF7Nhm1969
JVVXwWoqfHL8XnSB9qsSaFNLCWEBENmX6wIX6aP5+6OPBgYO659nvFnxdvqhMFRTwfOukNDXhsiX
4munrETtDozBVSqKCyua7Pel7qRTNQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBeyfvsbGLg5T4y
55/0LpvYq+4h4x1RPRmX/xsEIRZV5tDSK2UB7GgAi3xkmNRr2yLcawDKTCCRqosDK9j2gzVHiEtp
qMY1dSPJKdGX5qAYXif/eAYpQcoXNuhi0EWFHtXlAkONVgXd0dc8z88Yb000zFz3uJOr4X+Dyg1c
Zmx+0qqYvZuEzGH2kdt1EL+hVMTojmF1IfytPReh+ZZjgrtUGLK6s7UaFDHHAvYPLDi8xUY58Y1M
sVd14ZKv1cLCQCfE57Ccr/dEL7gqclJvTQErK9G2LhjE5s0zGlAl+h/irLfB6FdnvRj1Pn1xmnTm
BlpuVx+w9fkkzCKDqfT91qUB</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
sgerlach at company.com</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
InResponseTo="_82f54b67d5db3a8a27d37ce4c86ab246"
NotOnOrAfter="2015-08-13T17:52:13.156Z"
Recipient="
https://myserver.com/Shibboleth.sso/SAML2/POST"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-08-13T17:42:13.156Z"
NotOnOrAfter="2015-08-13T17:52:13.156Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://myserver.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2015-08-13T17:47:13.156Z"
SessionIndex="_82f54b67d5db3a8a27d37ce4c86ab246"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="firstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Scott</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="lastname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Gerlach</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150813/3864ff39/attachment-0001.html>
More information about the users
mailing list