Unable to validate incoming SAML assertion (The Issuer in the SAML response did not match the Issuer configured for the Identity Provider.)

Questions SAML
1

I have set up an external Identify Provider and am running into an issue of Okta saying that it cannot validate the incoming SAML assertion due the the Issuer in the response not matching the issuer configured for the Identity Provider. However, using a SAML tracer it appears as though the Issuer is in fact what I have specified, making me think the error being reported in the Okta logs is wrong and it might be invalid for another reason.

Is it possible that this error is returned incorrectly if it is invalid for another reason, such as the time stamp being in a different format that Okta doesn’t understand (for max skew - I noticed the one in the assertion doesn’t contain milliseconds) or something like that?

Thank you for the help!

2

Hi @jpetryk

Can you please open a support ticket with us through our Community Portal or by email at support@okta.com to have this issue further investigated by one our support engineers?

3

For anyone that runs into a similar issue and lands on this topic, I wanted to follow up. It turns out Okta’s log messages are pretty good. I was interpreting where it was looking and validating the Issuer from incorrectly because after some collaboration with the other end of the SSO configuration (we do not control that end, unfortunately), we figured out that they weren’t including the Issuer with the response.

Following that, we moved on to another error in the Okta logs, which was indicating that the “Audience” that the assertion was specifying did not match the IDP settings in Okta. Again, this was indeed wrong on the other end of the SSO configuration. Once this value was fixed, it resolved our issues.

Moral of the story: in at least our case, the logs were quite accurate in determining what was wrong. In these types of messages, they were indications of misconfigurations on the non-Okta end of the SAML configuration (which in this case, is the IDP end).

1 Like
4

Hey, I am facing the similar issue, can you guide me through configuration of exactly what wrong values I am adding

5

Hi, I’m encountering a similar problem. This is the error logged in Okta "“The Issuer in the SAML response did not match the Issuer configured for the Identity Provider”.

Can someone tell me if the issuer provided in the external SAML provider should reside in the entityId tag of the metadata?

Supposedly metadata provided by the Okta Identify Provider places it in the entityId tag.
I’m under the assumption entityID from external SAML provider should match entityID in Okta’s SAML metadata?

Here a shell of metedata returned by the external SAML provider containing entityId:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://www.okta.com/saml2/service-provider/123456">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    ...
</IDPSSODescriptor>
</EntityDescriptor>

Here’s a shell of metadata generated by Okta’s SAML Identity provider containing entityId:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="https://www.okta.com/saml2/service-provider/123456" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" 
   ...
</md:SPSSODescriptor>
<md:Organization>...</md:Organization></md:EntityDescriptor>
6

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.