My team are about to launch a new site, which authenticates users using SSO to our internal ADFS.
SSO works on our local and staging environments and now we're setting up what will be the live environment.
The site will be on a typical url (ie in the form www.example.com
). While we're previewing it, it's temporarily on preview.example.com
).
When attempting to login, we receive the error:
Invalid audience for this response
(expected 'https://www.example.com/login/saml2', got 'https://preview.example.com/login/saml2')
In my mind, there are three places this could occur:
- In the web app (I think this is referred to as the Relying Party?)
- In the ADFS configuration
- Encoded in the certificates (we have
idp_x509
,pkey
andx509
)
We're pretty sure the web app is configured correctly. Our IT team think ADFS is correct (but are checking).
My question is do the certificates encode this data, such that they would need swapping out if the hostname of the relying party were to change? If so, which certificate would it likely involve?