Using the ITFoxtec Identity SAML 2.0 component I am facing the "SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed" error. Once I read a token string in ReadClaimsIdentity. Please see attached image and link of the error.
https://i.imgur.com/vXzGa9P.png
Please revert me on the same as soon as possible.
The error cursor if the issuer configured in the application and the issuer for which the SAML 2.0 token is issued do not match.
TestWebAppCore in Startup.cs line 37 the AllowedAudienceUris is loaded from configuration:
saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);
Related
I am getting this error using ITfoxtec
SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'System.String'. Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'.
Where can I set the Audience value.
MY appsettings are:
"Saml2": {
"IdPMetadata": "https://dev-16078540.okta.com/app/exk64xo640gcOOLQb5d7/sso/saml/metadata",
"Issuer": "Investx_SAML_Test",
"SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"CertificateValidationMode": "ChainTrust",
"RevocationMode": "NoCheck"
}
I am working with an example from :
Authenticate with SAML in ASP.NET Core and C#
Thanks
You probably need to set the AllowedAudienceUris please see the ASP.NET Core sample. Your applications issuer is the same as the audience because the token is for your application.
Unable to authenticate against a backend api using Azure. Error says invalid audience but the aud claim had the backend api client id when troubleshooting in jwt.ms.
From your error report, it is indeed a 401 error, that is, your audience does not match the api you want to call, but your parsing token aud claims to have the backend api client ID, so I think your authentication There may be a problem with the configuration, I use the auth code flow to do a simple demonstration for you:
Next,under 'API permissions', give your front-end application access to your backend api:
Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
Find your backend application and select the appropriate scope.
Click 'Add permissions'.
Grant admin consent for your APIs.
Get token:
Parse the token:
I have an MSDN subscription linked to my Personal account. I am trying to write and Web Application which can invite users users using the Invitation API, https://graph.microsoft.com/v1.0/invitations.
I tried to get an token using the Client Credentials flow and then call the above API but getting an invalid audience error. I checked the token and the aud claim is set to 00000002-0000-0000-c000-000000000000 which i think is Graph API. I set the Scope as https://graph.microsoft.com/.default while getting the token
Can some one help me what is that i am doing wrongly or is this scenario not supported
Since you are trying with your personal account which is not supported at this moment as you could see on screenshot below:
You could have a look on official document here
I have tried below way and worked for me:
Request:
{
"invitedUserEmailAddress": "kironTest#email.com",
"inviteRedirectUrl": "https://myapp.com",
"userType":"Guest"
}
Response:
Make sure your token has required permission like below:
You could check your permission here https://jwt.io/
Hope that would help.
i'm trying Okta quick start for Java tomcat SAML, I am very new to this topic.
When I start my test application I do see a link to Okta IDP, after clicking "Start single sign-on" button i am being redirected to Okta address with info "Sining in to SAML - Test" (my Okta test name) after that I'm again being redirected to my application with:
Error
Error validating SAML message
after that there is a stack trace with
Caused by: org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
... 27 more
Caused by: org.opensaml.common.SAMLException: Local entity is not the intended audience of the assertion in at least one AudienceRestriction
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAudience(WebSSOProfileConsumerImpl.java:506)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionConditions(WebSSOProfileConsumerImpl.java:458)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:303)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
... 28 more
What am I missing? What am I doing wrong?
Thanks for all your help Zack.
The entity ID of your Spring SAML Service Provider doesn't match Destination element in the SAML response from Okta. Compare the two values and fix the value on either Spring SAML or Okta side.
Same issue when deploying Spring Boot app in Azure Container Instance and using Okta SAML. saml.sp=http://fqdn-of-my.domain.com:8082/saml/metadata, FQDN resolved by an AWS hosted DNS zone A record, the URL itself is accessible and downloads the spring_saml_metadata.xml.
Caused by: org.opensaml.common.SAMLException: Local entity is not the intended audience of the assertion in at least one AudienceRestriction
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAudience(WebSSOProfileConsumerImpl.java:542)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionConditions(WebSSOProfileConsumerImpl.java:494)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:339)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:250)
... 53 more
Update after 30 minutes: I noticed that the error went away after a rebuild and redeploy of the app!!
With
saml.sp=http://fqdn-of-my.domain.com:8082/saml/metadata in Spring application.properties, the SP Metadata available at the same URL was originally the below, giving error:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="http___localhost_8082_saml_metadata"
entityID="http://localhost:8082/saml/metadata">
A rebuild and redeployment of the app with Metadata as below resulted in successful handshake:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="http___fqdn-of-my.domain.com_8082_saml_metadata"
entityID="http://fqdn-of-my.domain.com:8082/saml/metadata">
I am pretty sure I had the property correctly set even when it was giving error. But anyway, a rebuild of the Dockerized Spring app and redeploy of the same in Azure ultimately fixed the problem.
When sending SAML LogoutRequest to ADFS IdP I am getting on ADFS side error :
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7054: The SAML logout did not complete properly.
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSamlLogoutResponse(HttpSamlMessage samlMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SamlLogout()
Message is according with SAML standards and it is signed.
What I have to look for ?
I have finally get more detail log from our partner. The problem was the missing certificate in signing tab of the our RelayParty on pratners ADFS server. Also the problem could be missing permissions for private key of the mentioned certificate for ADFS IIS running process (that is most probably NETWORK SERVICE). SLO is working now properly.
The Federation Service encountered an error while processing the SAML authentication request.
Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadLogoutRequest(XmlReader reader)
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Logout(LogoutRequest logoutRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)