Background

How do I avoid the 500 error when I attempt to log in with SAML enabled.


Problem

When attempting to log in with SAML enabled, I received a 500 error. When I enable debug mode and try to log in again, I see the error below.


��2019-05-22 21:06:07.907 �[35mDEBUG �[0m  projectContext.go:39 assertion invalid: Conditions AudienceRestriction does not contain "https://aquasec.com"



Cause

The IDP SSO application, when configured, requires an audience that will be passed in the assertion. This needs to match the SP (Aqua), in order to match up. If they do not match, then the authentication will fail. Here is an example of what is being sent in the assertion and the configuration in Aqua.


<saml2:AudienceRestriction>
<saml2:Audience>aquasec.novalue.com</saml2:Audience>
</saml2:AudienceRestriction>



Solution

Since the value is set on both on the Aqua and the SSO side, you can modify either one to resolve the issue. Your SSO admin should make the final call regarding their internal best-practices, to ensure that the configuration matches the organization's requirements. Traditionally, this should be set to aquasec.com in the SSO, to ensure that you can clearly identify the audience of the assertion, or something respective to the SP consuming the assertion.



Related Information


https://support.aquasec.com/solution/articles/16000078971-enable-debug-mode-for-server-components