SP: Assertion contains an unacceptable AudienceRestriction

Brent Putman putmanb at georgetown.edu
Fri Aug 14 15:04:34 EDT 2015 

On 8/14/15 12:40 PM, Scott Gerlach wrote:
>
>
> Location:
> https://company.okta.com/app/okta_app/oktaid123454/sso/saml?SAMLRequest=fZJPb%2BIwEMW%2FSuQ7cZLlr0WQ2HJYJJZFQHvoBTn2QAyJ7fU4bfj2TUhRW6nq1Z55v3lvZoq8LCybVz7XW%2FhfAfqgLguN7PaRksppZjgqZJqXgMwLtpv%2FXbEkjJh1xhthChLMEcF5ZfSD0ViV4HbgXpSAx%2B0qJbn3FhmlCKLnmp76GorCVDKU8BLavP4VnuSJ7nKVZaYAn4eIhraQhG7%2B7fYkWDRTKc1b%2FQ%2B1k5FcymtoLp6HwpSUW3t%2FPCh9NA2uox1iCvUlFv7Ms%2FNwfdna4TmqR7TFtC5JsFyk5JD0J%2FFomI3kOMlgEo9lPzryJJLHbAAQ9UdNGWIFS42ea5%2BSJIoHvWjci%2Fv7eMiSCUsGzyTYvGfyW2mp9OnnALOuCNmf%2FX7T68w%2BgcOb0aaAzKbtgOwGdp8W87Msv2%2BDzO5pcctFDl3836Q%2FpZ84HdSydSO8XGxMocQ1mBeFeX1wwD2kJCZ01rV8PZ3ZGw%3D%3D&RelayState=ss%3Amem%3A7e7e341f48dfb6f4b945fa4776f59b131261101b8de3ccef9e869a533e0f15b2&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=i17MymbVxz21g63A3Cp%2B1tBP%2F%2F5L%2B0WFq5slUkAIRovX28Ma%2FLHPaKWCTedj2MkVNbtM2I3CdQwh1FzNRhdru6TeiK1Z%2F6RdygL%2BVfsR3jM1RTtnL5HshYc%2BrfV1rcIHfUb79pUg5V0r6eYMQPPo9vgQ7KZeUUnQ1uwbREDxrwCcIqbU33S%2FTKdz2riqa791kHE4oHXEbmCsxX7WoTl2UY2gTy9E%2BP49GEtKpFfhNmzThtGI9IzqNZ9jqWpmF%2Fl%2FHhDUfSU70mRT1r8LdX3Gxq%2By0yncvZJBkbJ18oHapQkAWvYMUloYGt74OPVjk5ctzG18IZyWnzaKDq0cBv%2F5tg%3D%3D
>
>

So this is the actual SAML request from your SP to Okta's IdP?


>
> And following the 302 to the location, this is the SAML data that
> goes with it
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>                    
> AssertionConsumerServiceURL="https://myserver.com/Shibboleth.sso/SAML2/POST"
>                    
> Destination="https://company.okta.com/app/okta_app/oktaid123454/sso/saml"
>                     ID="_249176b7d82be918d40fa20dfb5ee047"
>                     IssueInstant="2015-08-14T16:29:25Z"
>                    
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>                     Version="2.0"
>                     >
>     <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://myserver.com</saml:Issuer>
>     <samlp:NameIDPolicy AllowCreate="1" />
> </samlp:AuthnRequest> 
>
>

And where exactly did you get this?

Just to be clear here:  That AuthnRequest XML there is NOT what is in
the AuthnRequest in the Redirect binding above after it's decoded (i.e.
it's not myserver.com).  I assume you are trying to obfuscate your
actual server name, etc?  Out of respect for that, I won't post it here
- but you sort of already did, since decoding the Redirect binding
above is trivial.

Scott was asking for this info in order to compare the actual values
being sent by the SP as request Issuer and then seen in the resulting
Assertion.  As mentioned earlier, even a single character typo,
trailing slash, missing/added default port, case differences, etc will
cause this to fail.  So if you're manually obfuscating things, that may
also just be obfuscating the actual problem, if you aren't being
exactly 100% precise in your transformations.

OTOH, if you're saying that the issued Assertion literally contains as
audience the string "https://myserver.com", then I have no idea what's
going on, since that's not what's in the actual AuthnRequest above (and
have no idea how/where you got that 2nd XML snippet).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150814/428f3e38/attachment.html>

More information about the users mailing list