This article explains the "Audience is invalid" error that can occur during a Security Assertion Markup Language (SAML) authentication flow. This error indicates a mismatch between the intended recipient of the SAML assertion and the application that received it.

• Security Assertion Markup Language (SAML)

• SAML Enterprise Connections

• Entity ID

The "Audience is invalid" error occurs when the value of the <saml:Audience> element inside the SAML assertion sent by the Identity Provider (IdP) does not exactly match the Entity ID configured in the Auth0 SAML connection settings.

This is a critical security validation to ensure that the SAML assertion was specifically issued for the correct application (Service Provider). If the values do not match, Auth0 rejects the assertion to prevent potential security risks.

To resolve this error, the Audience value from the IdP and the Entity ID in Auth0 must be aligned.

1. Retrieve the SAML Response: Capture the SAML assertion being sent from the IdP during a failed login attempt. This can be done using a HAR file or browser developer tools.

2. Decode the SAML Response: Use a SAML decoding tool to parse the response and find the value within the <saml:Audience> tag.

3. How to Find the Entity ID:

   1. Login to the Auth0 dashboard as a tenant member ( Administrator ).
   2. If necessary, switch to the required tenant. For further information, refer to Manage account settings.
   3. Login to the Documentation website with the Auth0 account details.
       
   4. Navigate Authentication > Enterprise Connections > SAML.
   5. On the top horizontal menu, Click Setup.
   6. Respond to the prompt “If you are an administrator of this domain” > click Continue.
   7. Land on the documentation page SAML Identity Provider Configuration Settings.
   8. Scroll down to the section Entity ID.
   9. The Entity ID of the Service Provider (SP) will be displayed and will take this form:
      urn:auth0:tenant-name:{yourConnectionName} or urn:config:tenant-name:{yourConnectionName} depending on the environment type.

     

4. Align the Values:

   • Option A (Recommended): Reconfigure the Identity Provider (IdP) to send the correct Audience value that exactly matches the Entity ID shown in the Auth0 connection settings.

   • Option B: If the IdP configuration cannot be changed, update the Entity ID in the Auth0 SAML connection settings to match the Audience value being sent by the IdP.

After ensuring the values match exactly, attempt the login again.