SAML assertion error after upgrade.

Hello, Recently I upgraded SAML on a number of our apps following advise that the ones we were using had potential vulnerabilities. The Version 7 mendix apps were updated and these seem fine. With our version 8 applications we update the existing SAML module and although there are no other changes it now shows a Mendix assertion error page which says: ”Assertion Conditions are not met. This Service Provider application is not part of the designated audience list” We cannot see why this is happening. It has caused us concern as we have no way to upgrade our version 8 applications.  Is there either a fix being made available or a way to manual fix this?
2 answers

I have the same case for my client. We are using SAML 3.1 with MX 9.x.  New policy about metadata are leading to a lot of issues. It sounds like it better to either correct IdP response or fix workflow in java mx validators for this sso. SSO module should be well tested before release imho.


This is because they use the strict policy now in the new modules. Unfortunately you can not select the other policies yet because they have not yet be implemented.

Double check your SAML logs and check the Issuer and in the response message the AudienceRestriction. They should match. There was in issue with IdP Okta that added an extra slash at the end which made that the issuer was different from the audiencerestriction. But that has been fixed on the Mendix side by some changes in the Java code. So I do wonder which IdP you are using and what those values are in your case. You might want to create a support ticket for this if you can not resolve it yourself.



[EDIT] I now see you use Okta. Are you sure you are using the latest SAML releases?