SP not a valid audience for Assertion

1,355 views
Skip to first unread message

bgg92

unread,
Jul 21, 2010, 12:44:39 PM7/21/10
to simpleSAMLphp
Hello,

Read through the other threads with this error, but I continue to
receive the error:
"This SP [my-sp] is not a valid audience for the assertion.
Candidates were []"

The entityID is set to 'my-sp' when working with the siteminder Idp
(Required by remote-idp)

Received and saved SAML Response from IdP.

Metadata mismatch is suspected. IdP sets metadata contents. Hoping
to change SP metadata to match IdP.
Is this possible?
Does using http on SP and https on IdP have anything to do with the
error?
Note that this configuration is working with another IdP.

authsources.php:

'default-sp' => array(
'saml:SP',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'entityID' => 'my-sp',
'idp' => 'remote-idp,
'discoURL' => NULL,
),

saml20-idp-remote.php:

$metadata['remote-idp'] = array(
'name' => 'remote-idp',
'description' => 'test-siteminder-IdP',
'SingleSignOnService' => 'https://test.idp.com/.../public/saml2sso',
'certificate' => 'Idp.cer',
);

saml20-sp-remote.php:

$metadata['my-sp'] = array(
'AssertionConsumerService' => 'http://my-sp.com/simplesaml/
module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' => 'http://my-sp/simplesaml/module.php/saml/
sp/saml2-logout.php/default-sp',
);



Attributes from SAML Response from IdP:

<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://my-sp.com/simplesaml/module.php/saml/sp/saml2-
acs.php/default-sp" ID=...... Version="2.0">
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">remote-idp</
ns1:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/
xmldsig#">
......
<Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/
></Status>

<ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:
2.0:assertion" ........ Version="2.0">
......
<ns2:Conditions NotBefore="........">
<ns2:AudienceRestriction><ns2:Audience>my-sp</ns2:Audience></
ns2:AudienceRestriction>
<ns2:AudienceRestriction><ns2:Audience>https://test.idp.com/
testfile.xml</ns2:Audience></ns2:AudienceRestriction>
</ns2:Conditions>
.....
<ns2:AttributeStatement>
<ns2:Attribute Name="UID" NameFormat="urn:oasis:names:tc:SAML:
2.0:attrname-format:basic">
<ns2:AttributeValue>JohnSmith</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="EID" NameFormat="urn:oasis:names:tc:SAML:
2.0:attrname-format:basic">
<ns2:AttributeValue>12345678</ns2:AttributeValue>
</ns2:Attribute>
</ns2:AttributeStatement>

</ns2:Assertion>
</Response>









Olav Morken

unread,
Jul 22, 2010, 3:23:44 AM7/22/10
to simple...@googlegroups.com
On Wed, Jul 21, 2010 at 09:44:39 -0700, bgg92 wrote:
> Hello,
>
> Read through the other threads with this error, but I continue to
> receive the error:
> "This SP [my-sp] is not a valid audience for the assertion.
> Candidates were []"
>
> The entityID is set to 'my-sp' when working with the siteminder Idp
> (Required by remote-idp)
>
> Received and saved SAML Response from IdP.
>
> Metadata mismatch is suspected. IdP sets metadata contents. Hoping
> to change SP metadata to match IdP.
> Is this possible?
> Does using http on SP and https on IdP have anything to do with the
> error?
> Note that this configuration is working with another IdP.


This is the same problem as the one reported in [1]. The IdP includes
two AudienceRestriction-elements:

<ns2:AudienceRestriction>
<ns2:Audience>my-sp</ns2:Audience>

</ns2:AudienceRestriction>


<ns2:AudienceRestriction>
<ns2:Audience>https://test.idp.com/testfile.xml</ns2:Audience>
</ns2:AudienceRestriction>

When two AudienceRestriction-elements are included, the specification
specifies that the SP must be a part of both of them:

Note that multiple <AudienceRestriction> elements MAY be included
in a single assertion, and each MUST be evaluated independently.
The effect of this requirement and the preceding definition is that
within a given <AudienceRestrictions>, the <Audience> elements form
a disjunction (an "OR") while multiple <AudienceRestrictions>
elements form a conjunction (an "AND").

Since the simpleSAMLphp SP does not associate itself with the
«https://test.idp.com/testfile.xml» audience, it rejects the assertion.
There is currently no way to specify that the SP should consider itself
part of a different audience.


[1] http://groups.google.com/group/simplesamlphp/browse_frm/thread/070f7b12609bca13/2e8f1bf1c61bb425

--
Olav Morken
UNINETT / Feide

Reply all
Reply to author
Forward
0 new messages