Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Bin Xu (GAVINHSU)
Mediatek Inc. China

Mediatek Inc. China
CN
GAVINHSU Member since 2011 44 posts
Mediatek Inc. China
Posted: Jun 1, 2023
Last activity: Jun 27, 2023
Posted: 1 Jun 2023 1:34 EDT
Last activity: 27 Jun 2023 23:09 EDT
Closed
Solved

Getting "Assertion does not contain unique subject provider identifier XX in the audience restriction conditions" with Azure SSO

We're trying to use Microsoft Azure AD as SSO provider.

And getting error says "Assertion does not contain unique subject provider identifier XX in the audience restriction conditions" when trying to use IDP initialized SSO.

The login URL used is:

https://launcher.myapps.microsoft.com/api/signin/[UNIQUE ID]?tenantId=[TENANTID]&RelayState=https%3A%2F%2F[PEGA HOST]%2Fprweb%2FPRAuth%2FazureAdAuth

 

Would be appreciated a lot if anyone can help.

 

From the log file, we can see:

Show More

We're trying to use Microsoft Azure AD as SSO provider.

And getting error says "Assertion does not contain unique subject provider identifier XX in the audience restriction conditions" when trying to use IDP initialized SSO.

The login URL used is:

https://launcher.myapps.microsoft.com/api/signin/[UNIQUE ID]?tenantId=[TENANTID]&RelayState=https%3A%2F%2F[PEGA HOST]%2Fprweb%2FPRAuth%2FazureAdAuth

 

Would be appreciated a lot if anyone can help.

 

From the log file, we can see:

2023-06-01 11:30:15,301 [fault (self-tuning)'] [  STANDARD] [                    ] [         PegaRULES:8] (   internal.util.PRSAMLv2Utils) DEBUG |Rest|WebSSO|SAML|v2_assertionconsumerservice27d966ed6057ae45375fdfa98b29416f|AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA|RelayStateID:https://[PEGA HOST]/prweb/PRAuth/azureAdAuth:RelayStateID AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA  - Response message received : [SAML response]
2023-06-01 11:30:15,301 [fault (self-tuning)'] [  STANDARD] [                    ] [         PegaRULES:8] (   internal.util.PRSAMLv2Utils) DEBUG |Rest|WebSSO|SAML|v2_assertionconsumerservice27d966ed6057ae45375fdfa98b29416f|AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA|RelayStateID:https://[PEGA HOST]/prweb/PRAuth/azureAdAuth:RelayStateID AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA  - Converting SAML string received to SAML object
2023-06-01 11:30:15,307 [fault (self-tuning)'] [  STANDARD] [                    ] [         PegaRULES:8] (   internal.util.PRSAMLv2Utils) DEBUG |Rest|WebSSO|SAML|v2_assertionconsumerservice27d966ed6057ae45375fdfa98b29416f|AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA|RelayStateID:https://[PEGA HOST]/prweb/PRAuth/azureAdAuth:RelayStateID AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA  - Successfully validated the SAML Response protocol validation
2023-06-01 11:30:15,307 [fault (self-tuning)'] [  STANDARD] [                    ] [         PegaRULES:8] (   internal.util.PRSAMLv2Utils) DEBUG |Rest|WebSSO|SAML|v2_assertionconsumerservice27d966ed6057ae45375fdfa98b29416f|AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA|RelayStateID:https://[PEGA HOST]/prweb/PRAuth/azureAdAuth:RelayStateID AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA  - Extracted IDP Entity Id : [IDP Entity Id]  SP Entity Id: [SP Entity Id]  ACS URL : [ACS URL]
2023-06-01 11:30:15,309 [fault (self-tuning)'] [  STANDARD] [                    ] [         PegaRULES:8] (   internal.util.PRSAMLv2Utils) ERROR |Rest|WebSSO|SAML|v2_assertionconsumerservice27d966ed6057ae45375fdfa98b29416f|AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA|RelayStateID:https://[PEGA HOST]/prweb/PRAuth/azureAdAuth:RelayStateID AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAEA  - Caught Exception while validating SAML2 Authentication response for SSO profile : Assertion does not contain unique subject provider identifier [Entity ID] in the audience restriction conditions

Show Less
***Edited by Moderator: Aiswarya Sudhakar to add capability tag*** 
***Edited by Moderator Marije to add Support Case Details; ***
To see attachments, please log in.
Pega Platform 8.7.4
Security
Dev/Designer Studio
Partners and Integrations
Installation and Deployment
Manufacturing
System Architect
Support Case Exists

Accepted Solution

Posted: 2 years ago
Updated: 2 years ago
Posted: 1 Jun 2023 5:29 EDT
Updated: 27 Jun 2023 23:09 EDT
Marije Schillern (MarijeSchillern)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
GB

@GAVINHSU if you also log a support incident at the same time as posting PSC questions could you include that information in your forum post?  That way we can help track the issue with you.

I have added INC-A1534 to this thread.

 

Error extract:

 Caught Exception while validating SAML2 Authentication response for SSO profile : Assertion does not contain unique subject provider identifier [Entity ID] in the audience restriction conditions

For the error you are getting it seems to be a third-party product issue. IDP might not be returning the proper Entity Identification in the SAML response if the  the SAML authentication profile is configured in a certain format:

eg

https://<Server name or IP>:<PORT>/prweb/sp/<unique id>

Check if the SAML response from the IDP is returning a different  "Audience" element , perhaps in the format 

https://<Server name or IP>:<PORT>/prweb

Update the IDP configuration and return the same Entity Identification as configured in the SAML authentication profile.

The SAML response XML should have the Audience element as follows:

<saml2:AudienceRestriction>
    <saml2:Audience>https://<Server name or IP>:<PORT>/prweb/sp/<unique id>:Audience>
</saml2:AudienceRestriction>
 

Show More

@GAVINHSU if you also log a support incident at the same time as posting PSC questions could you include that information in your forum post?  That way we can help track the issue with you.

I have added INC-A1534 to this thread.

 

Error extract:

 Caught Exception while validating SAML2 Authentication response for SSO profile : Assertion does not contain unique subject provider identifier [Entity ID] in the audience restriction conditions

For the error you are getting it seems to be a third-party product issue. IDP might not be returning the proper Entity Identification in the SAML response if the  the SAML authentication profile is configured in a certain format:

eg

https://<Server name or IP>:<PORT>/prweb/sp/<unique id>

Check if the SAML response from the IDP is returning a different  "Audience" element , perhaps in the format 

https://<Server name or IP>:<PORT>/prweb

Update the IDP configuration and return the same Entity Identification as configured in the SAML authentication profile.

The SAML response XML should have the Audience element as follows:

<saml2:AudienceRestriction>
    <saml2:Audience>https://<Server name or IP>:<PORT>/prweb/sp/<unique id>:Audience>
</saml2:AudienceRestriction>
 

 

If the above does not help our support team will help you further.

1. Review IDP (Okta?) configuration - Identify the unique Id if mismatching.

Correct the unique id and reimport the idp meta data.

2. Review the pega Authentication service configuration.

 

Show Less
To see attachments, please log in.
Posted: 2 years ago
Posted: 27 Jun 2023 23:08 EDT
Bin Xu (GAVINHSU)
Mediatek Inc. China

Mediatek Inc. China
CN

@MarijeSchillern Thanks for help. You're right, we updated the Entity Identifier of PEGA SAML authentication service to use the AudienceRestriction responsed from Azure AD. And it works now.

 

I suppose there should be some configuration issue with our Azure AD.

But anyway, the Entity Identifier of PEGA SAML authentication service must be the same with the AudienceRestriction responsed from Azure AD.

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice