This SP [...] is not a valid audience for the assertion. Candidates were: []
1,944 views
Skip to first unread message
Daryl
Jun 18, 2010, 4:56:43 PM6/18/10
to simpleSAMLphp
I am trying to setup our SP to connect to a remote IdP using SAML 2.0.
Since access to the IdP is restricted, they are simply sending
Assertion Responses to our AssertionConsumerService. An unknown
exception is being thrown: This SP [https://daryl.qualtrics.com/WRSAML/
simplesaml/www/module.php/saml/sp/metadata.php/pwc] is not a valid
audience for the assertion. Candidates were: []
I am new to SAML and have been poring over the discussions here as
well as tracing through simpleSAMLphp code to figure out what is wrong
but I'm at a loss.I'd appreciate any help I can get. Here is some
more info:
The entry in authsources.php for the IdP is:
'pwc' => array(
'saml:SP',
'privatekey' => 'shibboleth-key.pem',
'certificate' => 'shibboleth.crt',
'idp' => 'https://federatedsecurity-st.pwc.com/survey',
),
The entry in saml20-idp-remote.php is:
$metadata['https://federatedsecurity-st.pwc.com/survey'] = array(
'name' => array(
'en' => 'PWC'
),
'description' => 'PricewaterhouseCoopers',
'SingleSignOnService' => 'https://websso-s.pwc.com/survey',
'certData' => '...'
);
(certData omitted for brevity)
The assertion response that the IdP is sending:
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://daryl.qualtrics.com/WRSAML/simplesaml/www/
module.php/saml/sp/saml2-acs.php/pwc"
ID="_3ea9ad82209289c8b6fb0dcfbd2906bd800c"
IssueInstant="2010-06-18T18:38:03Z" Version="2.0">
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://
federatedsecurity-st.pwc.com/survey</ns1:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/
>
</Status>
<ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_60c08150e834df2635db95383513596d6906"
IssueInstant="2010-06-18T18:38:03Z" Version="2.0">
<ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:entity">https://federatedsecurity-st.pwc.com/survey</
ns2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/
xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-
exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-
sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#_60c08150e834df2635db95383513596d6906"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/
xmldsig#">PzoMmoyxRzNEyrJ2FGr0Y/cTcmI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
rLVGSiwedRS72Bx8oAhjJb0ty/rAv/aN97jT5N5smkmWCvG+JyTsdxyZ
+XSCDaqXBbreUM7QndDO
Y711oQ7IvGkXoV86/w9DCo2o1n269dDL
+eI2dL5jZEzJlo2yQ8Y2QudsM65qJmFrxft2eT8JmNmd
NwSXyp4g+tIoheYXE4A=
</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<ns2:Subject>
<ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified">1000171083</ns2:NameID>
<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<ns2:SubjectConfirmationData
NotOnOrAfter="2010-06-18T18:39:33Z" Recipient="https://
daryl.qualtrics.com/WRSAML/simplesaml/www/module.php/saml/sp/saml2-
acs.php/pwc"/>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="2010-06-18T18:37:33Z"
NotOnOrAfter="2010-06-18T18:39:33Z">
<ns2:AudienceRestriction>
<ns2:Audience>http://daryl.qualtrics.com</
ns2:Audience>
</ns2:AudienceRestriction>
<ns2:AudienceRestriction>
<ns2:Audience>https://federatedsecurity-st.pwc.com</
ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="2010-06-18T18:38:02Z"
SessionIndex="X7ApzSUDdkWxBMFBxRZwqk/8++k=S0uO7w=="
SessionNotOnOrAfter="2010-06-18T18:39:33Z">
<ns2:AuthnContext>
<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</ns2:AuthnContextClassRef>
</ns2:AuthnContext>
</ns2:AuthnStatement>
<ns2:AttributeStatement>
<ns2:Attribute Name="lastname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>Kotinsky</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="firstname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>Ronald</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="mail"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>ronald.m...@us.pwc.com</
ns2:AttributeValue>
</ns2:Attribute>
</ns2:AttributeStatement>
</ns2:Assertion>
</Response>
(Again, certificate value omitted for brevity).
I'd really appreciate any guidance I can get.
-Daryl
Since access to the IdP is restricted, they are simply sending
Assertion Responses to our AssertionConsumerService. An unknown
exception is being thrown: This SP [https://daryl.qualtrics.com/WRSAML/
simplesaml/www/module.php/saml/sp/metadata.php/pwc] is not a valid
audience for the assertion. Candidates were: []
I am new to SAML and have been poring over the discussions here as
well as tracing through simpleSAMLphp code to figure out what is wrong
but I'm at a loss.I'd appreciate any help I can get. Here is some
more info:
The entry in authsources.php for the IdP is:
'pwc' => array(
'saml:SP',
'privatekey' => 'shibboleth-key.pem',
'certificate' => 'shibboleth.crt',
'idp' => 'https://federatedsecurity-st.pwc.com/survey',
),
The entry in saml20-idp-remote.php is:
$metadata['https://federatedsecurity-st.pwc.com/survey'] = array(
'name' => array(
'en' => 'PWC'
),
'description' => 'PricewaterhouseCoopers',
'SingleSignOnService' => 'https://websso-s.pwc.com/survey',
'certData' => '...'
);
(certData omitted for brevity)
The assertion response that the IdP is sending:
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://daryl.qualtrics.com/WRSAML/simplesaml/www/
module.php/saml/sp/saml2-acs.php/pwc"
ID="_3ea9ad82209289c8b6fb0dcfbd2906bd800c"
IssueInstant="2010-06-18T18:38:03Z" Version="2.0">
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://
federatedsecurity-st.pwc.com/survey</ns1:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/
>
</Status>
<ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_60c08150e834df2635db95383513596d6906"
IssueInstant="2010-06-18T18:38:03Z" Version="2.0">
<ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:entity">https://federatedsecurity-st.pwc.com/survey</
ns2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/
xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-
exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-
sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#_60c08150e834df2635db95383513596d6906"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-
signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/
xmldsig#">PzoMmoyxRzNEyrJ2FGr0Y/cTcmI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
rLVGSiwedRS72Bx8oAhjJb0ty/rAv/aN97jT5N5smkmWCvG+JyTsdxyZ
+XSCDaqXBbreUM7QndDO
Y711oQ7IvGkXoV86/w9DCo2o1n269dDL
+eI2dL5jZEzJlo2yQ8Y2QudsM65qJmFrxft2eT8JmNmd
NwSXyp4g+tIoheYXE4A=
</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<ns2:Subject>
<ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified">1000171083</ns2:NameID>
<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<ns2:SubjectConfirmationData
NotOnOrAfter="2010-06-18T18:39:33Z" Recipient="https://
daryl.qualtrics.com/WRSAML/simplesaml/www/module.php/saml/sp/saml2-
acs.php/pwc"/>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="2010-06-18T18:37:33Z"
NotOnOrAfter="2010-06-18T18:39:33Z">
<ns2:AudienceRestriction>
<ns2:Audience>http://daryl.qualtrics.com</
ns2:Audience>
</ns2:AudienceRestriction>
<ns2:AudienceRestriction>
<ns2:Audience>https://federatedsecurity-st.pwc.com</
ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="2010-06-18T18:38:02Z"
SessionIndex="X7ApzSUDdkWxBMFBxRZwqk/8++k=S0uO7w=="
SessionNotOnOrAfter="2010-06-18T18:39:33Z">
<ns2:AuthnContext>
<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</ns2:AuthnContextClassRef>
</ns2:AuthnContext>
</ns2:AuthnStatement>
<ns2:AttributeStatement>
<ns2:Attribute Name="lastname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>Kotinsky</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="firstname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>Ronald</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="mail"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>ronald.m...@us.pwc.com</
ns2:AttributeValue>
</ns2:Attribute>
</ns2:AttributeStatement>
</ns2:Assertion>
</Response>
(Again, certificate value omitted for brevity).
I'd really appreciate any guidance I can get.
-Daryl
Olav Morken
Jun 21, 2010, 2:37:07 AM6/21/10
to simple...@googlegroups.com
On Fri, Jun 18, 2010 at 13:56:43 -0700, Daryl wrote:
> I am trying to setup our SP to connect to a remote IdP using SAML 2.0.
> Since access to the IdP is restricted, they are simply sending
> Assertion Responses to our AssertionConsumerService. An unknown
> exception is being thrown: This SP [https://daryl.qualtrics.com/WRSAML/
> simplesaml/www/module.php/saml/sp/metadata.php/pwc] is not a valid
> audience for the assertion. Candidates were: []
> I am trying to setup our SP to connect to a remote IdP using SAML 2.0.
> Since access to the IdP is restricted, they are simply sending
> Assertion Responses to our AssertionConsumerService. An unknown
> exception is being thrown: This SP [https://daryl.qualtrics.com/WRSAML/
> simplesaml/www/module.php/saml/sp/metadata.php/pwc] is not a valid
> audience for the assertion. Candidates were: []
The problem is this part:
> <ns2:Conditions NotBefore="2010-06-18T18:37:33Z"
> NotOnOrAfter="2010-06-18T18:39:33Z">
> <ns2:AudienceRestriction>
> <ns2:Audience>http://daryl.qualtrics.com</
> ns2:Audience>
> </ns2:AudienceRestriction>
> <ns2:AudienceRestriction>
> <ns2:Audience>https://federatedsecurity-st.pwc.com</
> ns2:Audience>
> </ns2:AudienceRestriction>
> </ns2:Conditions>
First of all, neither of these is the entityID of your SP (which is
"https://daryl.qualtrics.com/[...]/sp/metadata.php/pwc"). Secondly,
the specification states that each AudienceRestrictions element must
be evaluated separately. In practice, this means that if your SP isn't
included in all AudienceRestriction-elements, it is not a valid
audience.
--
Olav Morken
UNINETT / Feide
Reply all
Reply to author
Forward
0 new messages