SP: Assertion contains an unacceptable AudienceRestriction

Brent Putman putmanb at georgetown.edu
Fri Aug 14 15:18:51 EDT 2015

On 8/14/15 3:04 PM, Brent Putman wrote:
> Just to be clear here:  That AuthnRequest XML there is NOT what is in
> the AuthnRequest in the Redirect binding above after it's decoded
> (i.e. it's not myserver.com).

In fact it's not just the request issuer entityID that's different,
it's other things like the request Destination and ACS URL.  Were you
deliberately obfuscating all of that in what you've been posting?

> OTOH, if you're saying that the issued Assertion literally contains
> as audience the string "https://myserver.com", then I have no idea
> what's going on, since that's not what's in the actual AuthnRequest
> above (and have no idea how/where you got that 2nd XML snippet).

If you're not obfuscating, then based on some of the names in the first
decoded AuthnRequest: is there some sort of SAML proxying going on
there?  Is so, then that is probably the source of the issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150814/42833a92/attachment-0001.html>

More information about the users mailing list