Mismatched audience when connecting to a MS app via SAML
280 views
Skip to first unread message
Marilen Aretius Corciovei
Jul 5, 2022, 8:28:04 AM7/5/22
to Pac4j users mailing list
Hello,
I have been trying to connect via SAML to a custom defined MS app (using a commercial office365 account). I get this error:
org.pac4j.saml.exceptions.SAMLAssertionAudienceException: Assertion audience [spn:165313b8-5665-42a0-9303-3b63c259808c] does not match SP configuration 165313b8-5665-42a0-9303-3b63c259808c
which I could trace to https://github.com/pac4j/pac4j/blob/master/pac4j-saml/src/main/java/org/pac4j/saml/sso/impl/SAML2AuthnResponseValidator.java#L603
however the issue is the fact that the audience received from MS contains a spn: prefix. Otherwise it is exactly the same.
<AudienceRestriction>
<Audience>spn:165313b8-5665-42a0-9303-3b63c259808c</Audience>
</AudienceRestriction>
Anyone had this type of issue?
Thank you,
Len Corciovei
Marilen Aretius Corciovei
Jul 5, 2022, 8:44:25 AM7/5/22
to Pac4j users mailing list
To answer my own question. It works if I modified the saml.serviceProviderEntityId: spn:165313b8-5665-42a0-9303-3b63c259808c to have a spn: prefix also. Inspired by this: https://stackoverflow.com/questions/38978298/azuread-jwt-token-audience-claim-prefix-makes-jwt-token-invalid.
Thank you.
Reply all
Reply to author
Forward
0 new messages