Azure Single Sign On with SAML - IDX10214: Audience validation failed issue

CHIRAG KALIA 0 Reputation points


I have a sample application that is trying to facilitate single sign on using SAML and I am able to authenticate the user, but when I am getting the SAML response back from Azure, I am facing the below error:

IDX10214: Audience validation failed. Audiences: 'spn:3xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'. Did not match: validationParameters.ValidAudience: '3xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' or validationParameters.ValidAudiences: 'null'.

I have made sure that the application ID is correct. I have a simple .NET Framework 4.8 MVC application and I am using OWIN middleware(Microsoft.Owin.Security & other packages) to call Azure

HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" },


Following is my web.config

`<add key="ida:ADFSMetadata" value="" />`

<add key="ida:Wtrealm" value="3xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" />

Could you please help me pinpoint what is causing this issue? I checked the Azure logs and I am able to sign in and I'm getting the MFA token, this issue is only coming when request is being redirected to the reply URL.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,998 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,852 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 4,775 Reputation points Microsoft Vendor


    Thank you for posting this in Microsoft Q&A.

    I understand you are facing an issue with Azure Single Sign-On using SAML. Specifically, you are receiving an error message with the code IDX10214: Audience validation failed.

    Can you please check audience and issuer values?

    The Issuer value, the Audience value must exactly match one of the service principal names that represents the cloud service in Microsoft Entra ID. However, if the value of the Issuer element is not a URI value, the Audience value in the response is the Issuer value prefixed with spn:.

    please refer this article:

    Hope this helps. Do let us know if you any further queries.



    0 comments No comments