Error The token applies to an untrusted audience when using SAML ADFS 3.0 with Tomcat

Document ID : KB000117611
Last Modified Date : 16/10/2018
Show Technical Document Details
Issue:

Attempt to access SDM Tomcat URL via  https://company.com:443/CAisd/pdmweb.exe after setting up SDM Tomcat for SAML results in an error:

 

com.auth10.federation.FederationException: The token applies to an untrusted audience: https://company.com/CAisd/pdmweb.exe 
at com.auth10.federation.SamlTokenValidator.validate(SamlTokenValidator.java:179)
Cause:

An ADFS Admin creates a Relying Party Trust (https://docops.ca.com/ca-service-management/17-1/en/installing/post-installation-tasks/ca-service-desk-manager-post-installation-tasks/enable-saml-authentication-for-ca-sdm) for SDM with an Endpoint like https://company.com:443/CAisd/pdmweb.exe

Careful attention needs to be paid towards the presence of the port number :443 (like https://company.com:443/CAisd/pdmweb.exe) or absence of the same (like https://company.com/CAisd/pdmweb.exe) in the Endpoint defined there.
 

Resolution:

Check for the values in audienceuris  field of the file NX_ROOT/bopcfg/www/CATALINA_BASE/shared/resources/federation.properties


Ensure that the Endpoint definition of the Relying Party Trust from the ADFS is one of the audienceuris values in this file

If the Endpoint is value is https://company.com/CAisd/pdmweb.exe but federation.properties has https://company.com:443/CAisd/pdmweb.exe , as the URI is not a full match, the error noted above is seen:

 

com.auth10.federation.FederationException: The token applies to an untrusted audience: https://company.com:443/CAisd/pdmweb.exe
at com.auth10.federation.SamlTokenValidator.validate(SamlTokenValidator.java:179)
 

Once https://company.com/CAisd/pdmweb.exe   is added as one of the additional audienceuris values in federation.properties, restart SDM Tomcat to resolve the issue. 
 

Additional Information:

Below is a sample value with multiple values to the audienceuris to cover  :443 :8443 and the absence of :443 port for HTTPS.
 

federation.audienceuris=  https://company.com:8443/CAisd/pdmweb.exe|https://company.com:443/CAisd/pdmweb.exe|https://company.com/CAisd/pdmweb.exe