[Shib-Users] Assertion contains an unacceptable AudienceRestriction

[da...@wustl.edu]

We are attempting to protect multiple websites within a single shibboleth2.xml file with each site requiring SSL.

site1.wustl.edu
site2.wustl.edu
Each site has its own cert, no wildcard cert here.

The site entries in the <ISAPI/> section:
                                        <Site id="7" name="site1.wustl.edu"/>
                                        <Site id="9" name="site2.wustl.edu"/>

The host entries in the <RequestMap/> section:
            <Host name="site1.wustl.edu">
                <Path name="secure1" authType="shibboleth" requireSession="true"/>
            </Host>
            <Host name="site2.wustl.edu">
                <Path name="secure2" authType="shibboleth" requireSession="true" applicationId="telesis.wustl.edu"/>
            </Host>


Our applicationOverride looks like this:
                        <ApplicationOverride id="site2.wustl.edu" entityID="https://site2.wustl.edu/shibboleth-sp" homeURL="https://site2.wustl.edu/index.html">
                          <CredentialResolver type="File" key="site2-key.pem" certificate="site2-cert.pem"/>
                          </ApplicationOverride>

When we access a path protected by this site we are redirected to the idp for authN, successfully authenticated and send back to:

https://site2.wustl.edu/Shibboleth.sso/SAML2/POST

With this SAML error:
opensaml::FatalProfileException at (https://site2.wustl.edu/Shibboleth.sso/SAML2/POST)
Assertion contains an unacceptable AudienceRestriction.

We've added the site2 entityId to metadata with its cert.

Any insight into what may be going wrong here?

Thanks much,
Dan

[Nate Klingenstein]

Dan,

Silly suggestion, but your applicationId doesn't match the ID of the <ApplicationOverride>.  Do you notice WARN or ERROR messages during startup as a result?  If you fix them to match, does it work?

Take care,

Nate.