2541151 - SAML2Assertion validation failed: Audience restriction does not specify the current Service Provider

Symptom

Configured SAML 2.0 logon fails and errors similar to below are recorded in the SAP Application Server JAVA troubleshooting wizard traces:

****************************************************************************************************************************
Service Provider has received SAML2Assertion from Identity Provider <IDP details> whose audience restriction <AudienceRestriction> does not specify the current Service Provider
Warning saml2.sp.ResponseValidationService SAML2Assertion validation failed. [EXCEPTION]
Caused by: com.sap.security.saml2.sp.exception.BadCredentialsException: Rejected not signed Assertion
Reason: Service Provider does not match specified audience in the SAML2Assertion.
****************************************************************************************************************************

Environment

SAP NetWeaver Java

Product

SAP Composition Environment all versions ; SAP NetWeaver Application Server for Java all versions ; SAP NetWeaver all versions ; SAP Process Integration all versions ; SAP Solution Manager all versions

Keywords

sso single-sign-on login.failed artifact JAVA Service Provider SP Identity Provider IDP Issue Instant is not valid SAP Production ABAP R/3 ERP SRM CRM ERP PPM SEM APO XI PI PORTAL Test development QA SAML 2.0 SAML2Assertion Warning saml2.sp.ResponseValidationService SAML2Assertion Service Provider SAMLREQUEST

, KBA , BC-JAS-SEC-SML , JAVA SAML 1.1 and 2.0 , BC-JAS-SEC , Security, User Management , BC-SEC-LGN-SML , SAML 2.0 for ABAP , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.