"Audience is invalid" Error in SAML and Entity ID

Problem statement

Login via a newly configured SAML connection fails and displays the error:

Audience is invalid

According to the SAML troubleshooting guidance in the Auth0 documentation ( refer to Troubleshoot SAML Errors ):

“This error occurs if the value of the audience element from the identity provider’s SAML response doesn’t match the value expected by Auth0. Auth0 expects the value to be the Entity ID for the connection”.

It then says to go to the Common Settings and view the Entity ID. This article describes the purpose of the Entity ID and where it can be found in the SAML connection settings.

Symptoms

  • A SAML connection has been configured in a the tenant.
  • At login, the user is properly redirected to the IDP but when the SAML response is posted to Auth0 the user is redirected with the error message “Audience is invalid”.

Troubleshooting

  1. Capture the failed login flow in a HAR file for later analysis. For further information, refer to Generate and Analyze HAR Files
  2. Review the HAR file and look for the Audience value in the SAML response: use the Auth0 SAML tool for this purpose
  3. It must match the configured value of the Entity ID within the SAML connection
  4. The Entity ID should be in this format: “urn:auth0:TENANT:CONNECTION”

Cause

The error message may arise when:

  • the Identity Provider (IdP) fails to send the correct audience value in the SAML response.
  • the Entity ID is missing or incorrectly configured in the SAML connection.

Solution

Role Played by Entity ID

Both the Service Provider (SP) and the Identity Provider ( IdP) are considered to be entities in a SAML transaction. Each of these is assigned a unique Entity ID, which plays several roles:

  • Uniqueness: the ID ensures that only the desired parties are involved in a SAML transaction.
  • Routing: the ID ensures that messages are routed to the correct entity ( SP, IdP ).
  • Metadata: contains information about the endpoints, keys, and other settings necessary for the secure exchange of SAML messages. Here, the Entity ID is used to associate the SP or IdP with its corresponding set of metadata.
  • Configuration: the ID performs an important role in configuring the SP and IdP, providing a unique identifier for each communicating entity.

The Entity ID is frequently expressed in terms of a 'urn’ format. In an Auth0 context, the common structure for this is as defined as follows:

For public cloud tenants:
urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME

For private cloud tenants:
urn:config:YOUR_TENANT:YOUR_CONNECTION_NAME

How to Find the Entity ID

  1. Login to the Auth0 dashboard as a tenant member ( Administrator ).
  2. If necessary, switch to the required tenant. For further information, refer to Manage account settings.
  3. Login to the Documentation website with your Auth0 account details.

Screenshot 2024-02-02 at 14.15.44.png

  1. Navigate Authentication > Enterprise Connections > SAML.
  2. On the top horizontal menu, Click Setup.
  3. Respond to the prompt “If you are an administrator of this domain” : click Continue.
  4. Land on the documentation page “SAML Identity Provider Configuration Settings.”
  5. Scroll down to the section Entity ID.
  6. The Entity ID of the Service Provider (SP) will be displayed and will take this form:

urn:auth0:tenant-name:{yourConnectionName} or urn:config:tenant-name:{yourConnectionName} depending on the environment type

Related References