SharePoint 2013, configured but giving a warning about Audience URI

tbsdirectsystems · July 27, 2017, 5:46pm

I have followed the SharePoint set-up, and I’m able to log into my platform with internal AD authentication, however when I try to login with a Google account, I get the following error message:

The Audience URI could not be validated. 
Description: An unhandled exception occurred during 
the execution of the current web request. Please review the stack trace 
for more information about the error and where it originated in the 
code.

Exception Details: Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The Audience URI could not be validated.

Source Error: 

An unhandled exception was generated during the execution of the current
web request. Information regarding the origin and location of the 
exception can be identified using the exception stack trace below.

Stack Trace: 
[FailedAuthenticationException: The Audience URI could not be validated.]
   Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction) +158
   Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +429
   Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +113
   Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +147
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +602
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +522
   Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +204
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +182
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

Has anyone else had this issue? Any there I can check the setup?
I have checked my alternate access mapping against a system running the same in test, and they are the same. I figure there’s one step I’m missing.
Thanks,
Rob

jmangelo · August 10, 2017, 7:05pm

When you configure a Sharepoint SSO Integration the SAML assertion sent to Sharepoint will contain an audience restriction of the form urn:[client_id_of_sso_app]. Based on the information provided Sharepoint is rejecting that audience as it does not consider it valid.

The SSO integration steps done on the Sharepoint side should have resulted in this audience being considered valid, more specifically, when you execute the Enable-Auth0 cmdlet you’ll pass a -clientId: option that will be used to derive the expected audience and configure it as valid.

Without more information and without access to the Sharepoint configuration is difficult to ascertain why it’s rejecting the audience being sent by Auth0. As a general troubleshoot recommendation I would recommend repeating the configuration steps, making sure the client identifier provided is the expected one associated with the SSO integration configured in Auth0.

Topic		Replies	Views
“Audience is invalid” Error in SAML with custom domain Help connections , saml-enterprise-connection	3	562	February 15, 2024
Troubleshooting Invalid Audience Errors Knowledge Articles invalid-audience , token-verification	1	57	September 30, 2024
SAML - Atlassian as Service Provider returns 'Audience is invalid' Help sso , application	7	41	August 14, 2024
Potential non-conformance with SAML's AudienceRestriction Help saml	3	3570	August 30, 2019
Getting Error when logging in using SSO Help login-experience , login-prompt-new-experience	2	1269	December 21, 2022

SharePoint 2013, configured but giving a warning about Audience URI

Related Topics