Signon Fails because the specified Audience is not present in AudienceUris

c# single-sign-on

12,981

Solution 1

If I understand your situation, you've got a relying party (your webapp) sending to an identity provider (ADFS server), and once the relying party (your webapp) has authenticated you are redirecting the user to another app.

The error references the relying party’s config file AudienceUri section. A value is likely missing or is misspelled:

<configuration>
  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="http://**YourSiteHere**/" />
      </audienceUris>
    </identityConfiguration>
  </system.identityModel>
</configuration>

HTH

Solution 2

Sometimes it could be because of the trailing slash "/" ... which was the problem in my case. Copied the URL from the error message and added it to the audienceUris, and it started working fine.

12,981

Author by

user3527063

Updated on June 23, 2022

Comments

user3527063 about 2 years

I have a webapp which does signin request/send to my ADFS server. On the return it is directed to another app url; which i configured in my IIS server. I.E. the same url is configured in ADFS server also.

This error message follows

ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris. Audience:

Here is the code. Why does it fail as such?

issuerLocation = "https://test12.login.mytest.edu/adfs/ls/";
realm = "https://domain/SSO_Test/";           
this.Request.Url.AbsoluteUri.Remove(this.Request.Url.AbsoluteUri.IndexOf(this.Request.Url.Query, StringComparison.OrdinalIgnoreCase));
var contextId = Guid.NewGuid().ToString();
this.CreateContextCookie(contextId, this.Request.Url.AbsoluteUri);

var message = new SignInRequestMessage(new Uri(issuerLocation), realm)
{
    CurrentTime = DateTime.UtcNow.ToString("s", CultureInfo.InvariantCulture) + "Z", 
};

this.Response.Redirect(message.RequestUrl, false);

psaxton over 9 years

I've been bit more than once by a trailing '/' either needing to be there or not.
Mohan over 6 years

@caPorter, I am very new to adfs. I have setup my own adfs server, i have configured relying party trust with saml protocol. And in asp.net mvc code, I don't know, how to handle saml based authentication in callback method. for ws-fedaration based relying party I am able to parse the user information using ClaimsPrincipal.Current object but how to do for saml based protocol. Please help me.
Mohan over 6 years

I want to integrate my asp.net mvc application for adfs authentication with saml based protocol. I did successfully for my own adfs server having ws-federation protocol and however I am able to read the response details using ClaimsPrincipal. But I failed when it one of my client is sending me saml based response, how to validate and filter the claims in callback method. Please help me.
CaPorter over 6 years

Hi @Mohan, if you've still got questions, if you'll submit your question on StackOverflow, and let me know, I'd be glad to help.
Mohan over 6 years

@CaPorter, I have done everything for the authentication. But I am getting Null at the while converting User Object into ClaimsPrinciple. See the line as Var Claims = (User as ClaimsPrincipal).Claims. Please suggest the changes
ΩmegaMan almost 3 years

To be clear, did you add it to your local config, or the server config's?