SAML Assertion Missing Audience Element Despite Correct Application Configuration #15781
Description
Describe the bug
The SAML response generated by Authentik is missing the <saml:Conditions> block including <AudienceRestriction>, even though the Audience / SP Entity ID is configured correctly in the application settings. This causes the Service Provider to reject the response with an "Audience is invalid" error.
To Reproduce
Steps to reproduce the behavior:
-
Set up Authentik via Docker as a SAML Identity Provider
-
Create a SAML Provider with:
- Valid ACS URL from SP
- Correct Issuer (SP Entity ID)
- POST binding
-
Create an Application linked to the SAML Provider
-
Configure the Application with:
- NameID Format:
emailAddress - NameID Source:
user.email - SP Entity ID / Audience matching the SP's metadata
- NameID Format:
-
Initiate SAML login via the Service Provider
-
Check the generated SAML response via SAML-tracer or logs
Expected behavior
The SAML assertion should include a <saml:Conditions> block containing <AudienceRestriction><Audience>...</Audience></AudienceRestriction>, matching the configured Audience in the Application. This is required for the SP to validate the response.
Screenshots
N/A — raw SAML assertion shows the missing <Conditions> block.
Logs
The SP returns:
Audience is invalid.
SAML-tracer confirms the assertion does not contain an <Audience> element, despite correct settings.
Version and Deployment (please complete the following information):
- authentik version: 2025.6.4
- Deployment: docker-compose
Additional context
- The
NameIDis correctly generated with the user’s email - The
Issuermatches the expected SP Entity ID - Assertions are signed
- This issue appears to be related to the
<Audience>not being rendered in the SAML response, despite setting it in the Application