####<Aug 15, 2011 4:55:19 PM EDT> <Debug> <SecurityAtn> <server.customer.com> <server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <47200eb89d62d77c:56693a0d:131cefb4c9d:-8000-00000000000001b0> <1313441719095> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity - IdentityAssertionException> ####<Aug 15, 2011 4:55:19 PM EDT> <Debug> <SecuritySAML2Service> <server.customer.com> <bi_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <47200eb89d62d77c:56693a0d:131cefb4c9d:-8000-00000000000001b0> <1313441719097> <BEA-000000> <exception info javax.security.auth.login.LoginException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:096539]AudienceRestriction condition not satisfied (no matching audience). at com.bea.common.security.internal.service.IdentityAssertionServiceImpl.assertIdentity(IdentityAssertionServiceImpl.java:89)
According to the SAML specification, “the <AudienceRestriction> element specifies that the assertion is addressed to one or more specific audiences identified by <Audience> elements… The Audience URI MAY identify a document that describes the terms and conditions of audience membership. It MAY contain the unique identifier URI from a SAML name identifier that describes a system entity.” It also says that “the audience restriction condition evaluates to Valid if and only if the SAML relying party is a member of one or more of the audiences specified.”
If you can manage to look at the actual SAML assertion being generated by the Identity Provider, you should be able to what the Identity Provider is adding as <Audience> elements. In this customer case, it was:
<saml2:Conditions NotBefore="2011-08-15T20:54:11.000Z" NotOnOrAfter="2011-08-15T20:58:11.560Z"> <saml2:AudienceRestriction> <saml2:Audience>http://server.customer.com:9704/saml2/sp/acs/post</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions>
It turns out that the Audience value must match the service provider ID. In the case of a Weblogic Service Provider, such value is the Entity ID, specified in Weblogic Console as part of the Service Provider metadata definition in the “SAML 2.0 General” tab, as in the following screen:
The Entity ID parameter uniquely identifies a partner across federation interactions.
The customer then managed to make their home-built Identity Provider adding the value of http://sp.customer.com to the <Audience> element and things got all on track.
And have in mind that the URL format is only a recommendation. It can theoretically be any string less than 1024 characters long.
Another thing to be aware of is that the Assertion Consumer Service will also try to verify the <Issuer> element value in the incoming token against the “Issuer URI” in the Service Provider partner definition.
And the “Issuer URI” value comes from the Identity Provider metadata definition that is imported into Weblogic’s Service Provider.