Sustainsys.saml2: IDX10214: Audience validation failed. Did not match: validationParameters.ValidAudience

Question

I am implementing sustainsys.saml2, working with Framework 4.7.2, to connect to a identity provider in Azure Ad.

Sustainsys.Saml2-2.9.2 Sustainsys.Saml2.HttpModule-2.9.2

Is there any configuration parameter in web.config to fix the error I am getting:

"IDX10214: Audience validation failed. Audiences: 'spn:XXXXXXX'. Did not match: validationParameters.ValidAudience: 'XXXXXXX' or validationParameters.ValidAudiences: 'null'."

[SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'spn:b2314dc9-bb7d-4797-bc1f-0767fa073c20'. Did not match: validationParameters.ValidAudience: 'b2314dc9-bb7d-4797-bc1f-0767fa073c20' or validationParameters.ValidAudiences: 'null'.] Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) +723 Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2SecurityToken samlToken, TokenValidationParameters validationParameters) +369 Sustainsys.Saml2.Saml2P.Saml2PSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) +57 Sustainsys.Saml2.Saml2P.<CreateClaims>d__66.MoveNext() +785 System.Collections.Generic.List1..ctor(IEnumerable1 collection) +453 System.Linq.Enumerable.ToList(IEnumerable1 source) +69 Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData) +242 Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState, IdentityProvider identityProvider, String relayState) +98 Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options) +968 Sustainsys.Saml2.HttpModule.Saml2AuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs e) +407 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +223 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +220 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +94

Thank you

I have tried to include several parameters, for instance:

`    <system.identityModel.services>
        <federationConfiguration>
            <cookieHandler requireSsl="false" />
       </federationConfiguration>
    </system.identityModel.services>  
`

Also, including in Global.asax - Application_BeginRequest:

`    Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;`

I keep getting the same error.

Answer 1

This is a "feature" of Microsoft Entra ID. The SAML2 spec requires the audience to be an absolute URI. If the configured value isn't a URI, Entra ID "fixes" that by appending spn:.

Best way to solve it is to change the SP Entity ID to be an absolute URI.