For any IdP connections configured with multiple virtual server IDs, the AudienceRestriction value in a SAML response must match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message.

As needed, you may disregard this validation condition on a per-connection basis.

  1. Edit the org.sourceid.saml20.util.VirtualIdentityUtil.xmlfile, located in the <pf_install>/pingfederate/server/default/data/config-store directory.
  2. For each IdP connection that you want to disregard the validation condition, add its Partner's Entity ID value as an entry inside the c:map element; for example:
    <?xml version="1.0" encoding="UTF-8"?>
    <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
        <c:map name="AllowAnyVirtualServerIdInAudience">
            <c:item name="www.example.com"/>
            <c:item name="www.example.org"/>
        </c:map>
    </c:config>

    In this example, the first entry adds the IdP connection with a Partner's Entity ID of www.example.com to the list so that PingFederate no longer returns an error if the AudienceRestriction value in a SAML response does not match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message. The second entry has the same effect for the IdP connection with a Partner's Entity ID of www.example.org.

  3. Save your changes.
  4. Restart PingFederate.

    For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on the System > Cluster Management screen. It is not necessary to restart PingFederate on any running engine node.