Auth0 Home Blog Docs

SharePoint 2013, configured but giving a warning about Audience URI



I have followed the SharePoint set-up, and I’m able to log into my platform with internal AD authentication, however when I try to login with a Google account, I get the following error message:

The Audience URI could not be validated. 
Description: An unhandled exception occurred during 
the execution of the current web request. Please review the stack trace 
for more information about the error and where it originated in the 

Exception Details: Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The Audience URI could not be validated.

Source Error: 

An unhandled exception was generated during the execution of the current
web request. Information regarding the origin and location of the 
exception can be identified using the exception stack trace below.

Stack Trace: 
[FailedAuthenticationException: The Audience URI could not be validated.]
   Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction) +158
   Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +429
   Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +113
   Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +147
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +602
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +522
   Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +204
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +182
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

Has anyone else had this issue? Any there I can check the setup?
I have checked my alternate access mapping against a system running the same in test, and they are the same. I figure there’s one step I’m missing.


When you configure a Sharepoint SSO Integration the SAML assertion sent to Sharepoint will contain an audience restriction of the form urn:[client_id_of_sso_app]. Based on the information provided Sharepoint is rejecting that audience as it does not consider it valid.

The SSO integration steps done on the Sharepoint side should have resulted in this audience being considered valid, more specifically, when you execute the Enable-Auth0 cmdlet you’ll pass a -clientId: option that will be used to derive the expected audience and configure it as valid.

Without more information and without access to the Sharepoint configuration is difficult to ascertain why it’s rejecting the audience being sent by Auth0. As a general troubleshoot recommendation I would recommend repeating the configuration steps, making sure the client identifier provided is the expected one associated with the SSO integration configured in Auth0.