AudienceRestriction error with Shibboleth SP and ADFS as IdP
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
As I discussed with Scott on the Shib-Users list in a thread titled "Shibboleth 2 SP and ADFS", I am seeing an explained AudienceRestriction error. The actual error I am getting is:
OpenSAML.SecurityPolicyRule.AudienceRestriction [2]: unacceptable AudienceRestrictionCondition in assertion (<saml:AudienceRestrictionCondition xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Audience>urn:federation:shibtest.example.com</saml:Audience></saml:AudienceRestrictionCondition>)
With the Audience value in the assertion matching the entityID for the application, this error should not occur. I even tried adding a PolicyRule for the Audience value and that didn't correct the issue.
Documentation note about policy workaround added to ADFS topic until fix is released.
Scott Cantor October 1, 2009 at 7:03 PM
Looks like I won't need it, I believe I know what the bug is, and I know why your workaround failed.
The bug is such that you will have to customize the policy as you attempted to do, because the entityID isn't being injected as a valid audience (which does happen automatically with the SAML protocol handlers).
Your policy settings were broken because the XML is wrong. You need to put the Audience element inside the PolicyRule element of type "Audience", as a child. Your config has an empty PolicyRule tag followed by the Audience element as a sibling. Fix the nesting and that should resolve the audience error until the bug gets fixed.
In the meantime it won't hurt anything since duplicating the entityID in the policy rule doesn't break anything no matter which protocol you happen to use.
Scott Cantor October 1, 2009 at 6:47 PM
As I stated on the list, I need a copy of the exact HTML form from ADFS.
Fixed
Pinned fields
Click on the next to a field label to start pinning.
As I discussed with Scott on the Shib-Users list in a thread titled "Shibboleth 2 SP and ADFS", I am seeing an explained AudienceRestriction error. The actual error I am getting is:
OpenSAML.SecurityPolicyRule.AudienceRestriction [2]: unacceptable AudienceRestrictionCondition in assertion (<saml:AudienceRestrictionCondition xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Audience>urn:federation:shibtest.example.com</saml:Audience></saml:AudienceRestrictionCondition>)
With the Audience value in the assertion matching the entityID for the application, this error should not occur. I even tried adding a PolicyRule for the Audience value and that didn't correct the issue.