SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed

c# asp.net-core saml sustainsys-saml2
OnlyOneEA picture OnlyOneEA · Oct 16, 2018 · Viewed 27.1k times · Source

I'm developing an ASP.NET Core 2 app using Identity and Sustainsys.Saml2 (for SAML auth). I've made the necessary configurations in the Startup.cs file. Now when I run the project and try to login using the SAML2 (as an external login), I get the following error after enter my credentials:

SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: '[PII is hidden]'. Did not match: validationParameters.ValidAudience: '[PII is hidden]' or validationParameters.ValidAudiences: '[PII is hidden]'. Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2SecurityToken samlToken, TokenValidationParameters validationParameters) Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(string token, TokenValidationParameters validationParameters, out SecurityToken validatedToken) Sustainsys.Saml2.Saml2P.Saml2Response+d__60.MoveNext() System.Collections.Generic.List..ctor(IEnumerable collection) System.Linq.Enumerable.ToList(IEnumerable source) Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary relayData) Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState) Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options) Sustainsys.Saml2.AspNetCore2.Saml2Handler+d__12.MoveNext() System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+d__6.MoveNext() System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.MigrationsEndPointMiddleware+d__4.MoveNext() System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware+d__6.MoveNext() System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware+d__6.MoveNext() System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware+d__7.MoveNext()

I'm not understanding what does this mean. Am I missing something?

Here's what I have in the Startup file

services.AddAuthentication()
        .AddSaml2(options => 
        {
            var spOptions = new SPOptions
            {
                EntityId = new EntityId("https://localhost:44373/Saml2"),
                ReturnUrl = new Uri("https://localhost:44373"),
                MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1",                  
            };                

            options.SPOptions = spOptions;
            options.IdentityProviders.Add(new IdentityProvider(new EntityId("https://www.example.com/SSO/SAML/App"), options.SPOptions)
            {
                AllowUnsolicitedAuthnResponse = false,                  
                MetadataLocation = "https://www.example.com/SSO/SAMLMetadata/App",                  
                LoadMetadata = true,                  
            }); 
        });

Thanks in advance...

Answer

NamiraJV picture NamiraJV · Oct 16, 2018

As far as I know, this error clearly states that audience that came in your SAML-token is different from the value in your Startup configuration. It might be helpful to compare these values. Sometimes the validation fails due to case-sensitive comparison, so you should pay attention in which case your audiencies are in token and configuration.

According to the source code (Saml2Response) and as Anders Abel pointed out, ValidAudience property is initialized from SPOptions.EntityId that you configure here:

var spOptions = new SPOptions
{
    EntityId = new EntityId("https://localhost:44373/Saml2"),
    ReturnUrl = new Uri("https://localhost:44373"),
    MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1",                  
};

So you should compare the EntityId value, that you have configured with the value in your saml-token, which might look like this:

<saml:Audience>The value here should be the same as in your startup configuration</saml:Audience>

Related questions

AddTransient, AddScoped and AddSingleton Services Differences

I want to implement dependency injection (DI) in ASP.NET Core. So after adding this code to ConfigureServices method, both ways work. What is the difference between the services.AddTransient and service.AddScoped methods in ASP.NET Core? public void …

Read More
How to read AppSettings values from a .json file in ASP.NET Core

I have set up my AppSettings data in file appsettings/Config .json like this: { "AppSettings": { "token": "1234" } } I have searched online on how to read AppSettings values from .json file, but I could not get anything useful. I tried: var configuration = …

Read More
ASP.NET Core Dependency Injection error: Unable to resolve service for type while attempting to activate

I created an .NET Core MVC application and use Dependency Injection and Repository Pattern to inject a repository to my controller. However, I am getting an error: InvalidOperationException: Unable to resolve service for type 'WebApplication1.Data.BloggerRepository' while attempting to …

Read More