Problem statement
This article explains why a SAML connection with an Identity Provider who’s SAML response doesn’t include an audience or Audience Restriction attribute, which causes the flow to throw an error with invalid audience.
Symptoms
A SAML connection with an Identity Provider who’s SAML response doesn’t include an audience or Audience Restriction attribute, which causes the flow to throw an error with invalid audience.
Troubleshooting
The Identity Provider says that this attribute shouldn’t be required by the SP, according to SAML protocol.
Solution
There’s a connection option you can enable with this Management API endpoint.
Using GET, add the connection options object first and add the following key-value pair:
"options" : {
...,
"checkAudience": false
}
With this option, the Audience restriction attribute will not be checked.
Note : If you use the options parameter, the entire options object is overridden . To avoid partial data or other issues, ensure all parameters are present when using this option.