Getting "Assertion does not contain unique subject provider identifier XX in the audience restriction conditions" with Azure SSO
We're trying to use Microsoft Azure AD as SSO provider.
And getting error says "Assertion does not contain unique subject provider identifier XX in the audience restriction conditions" when trying to use IDP initialized SSO.
The login URL used is:
https://launcher.myapps.microsoft.com/api/signin/[UNIQUE ID]?tenantId=[TENANTID]&RelayState=https%3A%2F%2F[PEGA HOST]%2Fprweb%2FPRAuth%2FazureAdAuth
Would be appreciated a lot if anyone can help.
From the log file, we can see:
We're trying to use Microsoft Azure AD as SSO provider.
And getting error says "Assertion does not contain unique subject provider identifier XX in the audience restriction conditions" when trying to use IDP initialized SSO.
The login URL used is:
https://launcher.myapps.microsoft.com/api/signin/[UNIQUE ID]?tenantId=[TENANTID]&RelayState=https%3A%2F%2F[PEGA HOST]%2Fprweb%2FPRAuth%2FazureAdAuth
Would be appreciated a lot if anyone can help.
From the log file, we can see:
2023-06-01 11:30:15,301 [fault (self-tuning)'] [ STANDARD] [ ] [ PegaRULES:8] ( internal.util.PRSAMLv2Utils) DEBUG |Rest|WebSSO|SAML|v2_assertionconsumerservice27d966ed6057ae45375fdfa98b29416f|AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA|RelayStateID:https://[PEGA HOST]/prweb/PRAuth/azureAdAuth:RelayStateID AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA - Response message received : [SAML response] 2023-06-01 11:30:15,301 [fault (self-tuning)'] [ STANDARD] [ ] [ PegaRULES:8] ( internal.util.PRSAMLv2Utils) DEBUG |Rest|WebSSO|SAML|v2_assertionconsumerservice27d966ed6057ae45375fdfa98b29416f|AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA|RelayStateID:https://[PEGA HOST]/prweb/PRAuth/azureAdAuth:RelayStateID AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA - Converting SAML string received to SAML object 2023-06-01 11:30:15,307 [fault (self-tuning)'] [ STANDARD] [ ] [ PegaRULES:8] ( internal.util.PRSAMLv2Utils) DEBUG |Rest|WebSSO|SAML|v2_assertionconsumerservice27d966ed6057ae45375fdfa98b29416f|AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA|RelayStateID:https://[PEGA HOST]/prweb/PRAuth/azureAdAuth:RelayStateID AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA - Successfully validated the SAML Response protocol validation 2023-06-01 11:30:15,307 [fault (self-tuning)'] [ STANDARD] [ ] [ PegaRULES:8] ( internal.util.PRSAMLv2Utils) DEBUG |Rest|WebSSO|SAML|v2_assertionconsumerservice27d966ed6057ae45375fdfa98b29416f|AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA|RelayStateID:https://[PEGA HOST]/prweb/PRAuth/azureAdAuth:RelayStateID AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA - Extracted IDP Entity Id : [IDP Entity Id] SP Entity Id: [SP Entity Id] ACS URL : [ACS URL] 2023-06-01 11:30:15,309 [fault (self-tuning)'] [ STANDARD] [ ] [ PegaRULES:8] ( internal.util.PRSAMLv2Utils) ERROR |Rest|WebSSO|SAML|v2_assertionconsumerservice27d966ed6057ae45375fdfa98b29416f|AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA|RelayStateID:https://[PEGA HOST]/prweb/PRAuth/azureAdAuth:RelayStateID AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA - Caught Exception while validating SAML2 Authentication response for SSO profile : Assertion does not contain unique subject provider identifier [Entity ID] in the audience restriction conditions
***Edited by Moderator Marije to add Support Case Details; ***
Accepted Solution
Updated: 27 Jun 2023 23:09 EDT
Pegasystems Inc.
GB
@GAVINHSU if you also log a support incident at the same time as posting PSC questions could you include that information in your forum post? That way we can help track the issue with you.
I have added INC-A1534 to this thread.
Error extract:
Caught Exception while validating SAML2 Authentication response for SSO profile : Assertion does not contain unique subject provider identifier [Entity ID] in the audience restriction conditions
For the error you are getting it seems to be a third-party product issue. IDP might not be returning the proper Entity Identification in the SAML response if the the SAML authentication profile is configured in a certain format:
eg
https://<Server name or IP>:<PORT>/prweb/sp/<unique id>
Check if the SAML response from the IDP is returning a different "Audience" element , perhaps in the format
https://<Server name or IP>:<PORT>/prweb
Update the IDP configuration and return the same Entity Identification as configured in the SAML authentication profile.
The SAML response XML should have the Audience element as follows:
<saml2:AudienceRestriction> <saml2:Audience>https://<Server name or IP>:<PORT>/prweb/sp/<unique id>:Audience> </saml2:AudienceRestriction>
@GAVINHSU if you also log a support incident at the same time as posting PSC questions could you include that information in your forum post? That way we can help track the issue with you.
I have added INC-A1534 to this thread.
Error extract:
Caught Exception while validating SAML2 Authentication response for SSO profile : Assertion does not contain unique subject provider identifier [Entity ID] in the audience restriction conditions
For the error you are getting it seems to be a third-party product issue. IDP might not be returning the proper Entity Identification in the SAML response if the the SAML authentication profile is configured in a certain format:
eg
https://<Server name or IP>:<PORT>/prweb/sp/<unique id>
Check if the SAML response from the IDP is returning a different "Audience" element , perhaps in the format
https://<Server name or IP>:<PORT>/prweb
Update the IDP configuration and return the same Entity Identification as configured in the SAML authentication profile.
The SAML response XML should have the Audience element as follows:
<saml2:AudienceRestriction> <saml2:Audience>https://<Server name or IP>:<PORT>/prweb/sp/<unique id>:Audience> </saml2:AudienceRestriction>
If the above does not help our support team will help you further.
1. Review IDP (Okta?) configuration - Identify the unique Id if mismatching.
Correct the unique id and reimport the idp meta data.
2. Review the pega Authentication service configuration.
Mediatek Inc. China
CN
@MarijeSchillern Thanks for help. You're right, we updated the Entity Identifier of PEGA SAML authentication service to use the AudienceRestriction responsed from Azure AD. And it works now.
I suppose there should be some configuration issue with our Azure AD.
But anyway, the Entity Identifier of PEGA SAML authentication service must be the same with the AudienceRestriction responsed from Azure AD.