“Audience is invalid” Error in SAML with custom domain

We have configured a SAML connection. Users are correctly redirected to the idP. But when the SAML response is posted to auth0, users are redirected with the error message “Audience is invalid”. with the audience set as per the documentation urn:auth0:TENANT:CONNECTION_NAME

When trying to confirm the entityID (corresponding to the audience if our understanding is correct) by querying ‘https://TENANT.auth0.com/api/v2/connections/CONNECTION_ID’, we cannot see the entityId while it is apparently supposed to be there.

For information, we are using a custom domain with the /authorize request and the ACS URL with our identity provider matching.

Any ideas on how to solve this?

Hi @sebastibe

Welcome to the Auth0 Community.

Please ensure you have set the necessary entity id on the IdP end, it may appear also appear as audience. The IdP will then send this to auth0 in the SAML response.

Let me know if this resolves the issue.

Warm regards.

Hi @SaqibHussain ,

Thanks for the reply.

We confirmed that the issue was coming from a mismatch between the registered Entity ID on the IdP side and ours. Our misunderstanding came from the error message: “audience is invalid. Configured urn:auth0::<tenant_name>:<connection_name>" was actually referring to the configured value on our side, not the value configured on their side that would be invalid.