Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssteo
Staff
Staff

Created on ‎03-19-2023 10:38 PM Edited on ‎04-01-2025 06:24 AM By Moderator

Article Id 249504

Troubleshooting Tip: SSL VPN is not able to connect with error ' Audience is invalid!'

Description This article describes that SSL VPN is not able to connect with the error 'Audience is invalid!' with Okta as a SAML identity provider.
Scope FortiGate, Okta as SAML identity provider.
Solution

FortiGate had configured SSL VPN SAML login using OKTA SAML identity provider but failed to connect.

Run the 'diagnose debug application samld -1 ' command and it shows the error below:

 

diagnose debug application samld -1

__samld_sp_login_resp [871]: Audience is invalid!
samld_send_common_reply [114]: Code: 6, id: 1168, data_len: 43
samld_send_common_reply [122]: Attr: 22, 8, ÿÿ
samld_send_common_reply [122]: Attr: 23, 21, Undefined error.


'Audience is invalid' indicates that FortiGate Service Provider Information 'entity-id ' under user saml is configured differently from Okta settings.

 

The Audience URL, also known as Audience Restriction, specifies the intended recipient of the SAML Assertion. This field might be referred to as the 'Entity ID' by different vendors. While it can be any string, it is usually formatted as a URL, often including the Service Provider’s (SP’s) name. Frequently, the Audience URI matches the Assertion Consumer Service (ACS) URL, also known as the SSO URL. A common cause of the 'Audience is invalid' error is typos in the SP Entity ID, particularly with 'https://' and 'http://'.

 

Re-check that the URL in FortiGate is configured the same as Okta settings. 

 

On Okta saml configuration it is possible to find Entity-ID settings under SAML Configuration -> General -> Audience URI (SP Entity ID).

The Audience URI string is case-sensitive. For example, the following two URIs are different audiences and will generate an 'Audience is invalid' error:


FortiGate: set entity-id "https://WOOD.example.com:12345/remote/saml/metadata/"
Okta SP Entity ID: https://wood.example.com:12345/remote/saml/metadata/


To Trace the SAML Authentication, refer to Technical Tip: How to record a client SAML trace and examine the SAML response:

__samld_sp_login_resp [854]: Audience is invalid!
samld_send_common_reply [91]: Code: 7, id: 362199, pid: 246, len: 53, data_len 37

 

If SAML responds with code 7 along with 'Audience is invalid!' in the debug output, there is a configuration mismatch: the username claimed on FortiGate must be same as on the SAML server. The Audience value must exactly match one of the service principal names on the Server.

 

config user saml

    edit "OKTA"

        set user-name <claim-name>  <----- This must be the same as the username configured on SAML.

    next

end

Related articles:
2163
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.