SP: Assertion contains an unacceptable AudienceRestriction

Scott Gerlach sgerlach at gmail.com
Fri Aug 14 12:40:40 EDT 2015 

>
> >Is the flow here SP->IdP, and if so, can you add in a trace of an
> AuthnRequest that's triggering the response?
>
Yup, should be SP->IdP and here's the http request that triggers the SAML
auth
GET https://myserver.com/ HTTP/1.1
Host: myserver.com
User-Agent: A browser of some type. :)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

HTTP/?.? 302 Found
Date: Fri, 14 Aug 2015 16:29:25 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
Expires: Wed, 01 Jan 1997 12:00:00 GMT
Cache-Control: private,no-store,no-cache,max-age=0
Location:
https://company.okta.com/app/okta_app/oktaid123454/sso/saml?SAMLRequest=fZJPb%2BIwEMW%2FSuQ7cZLlr0WQ2HJYJJZFQHvoBTn2QAyJ7fU4bfj2TUhRW6nq1Z55v3lvZoq8LCybVz7XW%2FhfAfqgLguN7PaRksppZjgqZJqXgMwLtpv%2FXbEkjJh1xhthChLMEcF5ZfSD0ViV4HbgXpSAx%2B0qJbn3FhmlCKLnmp76GorCVDKU8BLavP4VnuSJ7nKVZaYAn4eIhraQhG7%2B7fYkWDRTKc1b%2FQ%2B1k5FcymtoLp6HwpSUW3t%2FPCh9NA2uox1iCvUlFv7Ms%2FNwfdna4TmqR7TFtC5JsFyk5JD0J%2FFomI3kOMlgEo9lPzryJJLHbAAQ9UdNGWIFS42ea5%2BSJIoHvWjci%2Fv7eMiSCUsGzyTYvGfyW2mp9OnnALOuCNmf%2FX7T68w%2BgcOb0aaAzKbtgOwGdp8W87Msv2%2BDzO5pcctFDl3836Q%2FpZ84HdSydSO8XGxMocQ1mBeFeX1wwD2kJCZ01rV8PZ3ZGw%3D%3D&RelayState=ss%3Amem%3A7e7e341f48dfb6f4b945fa4776f59b131261101b8de3ccef9e869a533e0f15b2&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=i17MymbVxz21g63A3Cp%2B1tBP%2F%2F5L%2B0WFq5slUkAIRovX28Ma%2FLHPaKWCTedj2MkVNbtM2I3CdQwh1FzNRhdru6TeiK1Z%2F6RdygL%2BVfsR3jM1RTtnL5HshYc%2BrfV1rcIHfUb79pUg5V0r6eYMQPPo9vgQ7KZeUUnQ1uwbREDxrwCcIqbU33S%2FTKdz2riqa791kHE4oHXEbmCsxX7WoTl2UY2gTy9E%2BP49GEtKpFfhNmzThtGI9IzqNZ9jqWpmF%2Fl%2FHhDUfSU70mRT1r8LdX3Gxq%2By0yncvZJBkbJ18oHapQkAWvYMUloYGt74OPVjk5ctzG18IZyWnzaKDq0cBv%2F5tg%3D%3D
Content-Length: 1351
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1


And following the 302 to the location, this is the SAML data that goes with
it
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    AssertionConsumerServiceURL="
https://myserver.com/Shibboleth.sso/SAML2/POST"
                    Destination="
https://company.okta.com/app/okta_app/oktaid123454/sso/saml"
                    ID="_249176b7d82be918d40fa20dfb5ee047"
                    IssueInstant="2015-08-14T16:29:25Z"

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    Version="2.0"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://myserver.com</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="1" />
</samlp:AuthnRequest>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150814/1cab645b/attachment.html>

More information about the users mailing list