ADFS SSO error: Invalid audience for this response

gh flag

My team are about to launch a new site, which authenticates users using SSO to our internal ADFS.

SSO works on our local and staging environments and now we're setting up what will be the live environment.

The site will be on a typical url (ie in the form While we're previewing it, it's temporarily on

When attempting to login, we receive the error:

Invalid audience for this response
(expected '', got '')

In my mind, there are three places this could occur:

  1. In the web app (I think this is referred to as the Relying Party?)
  2. In the ADFS configuration
  3. Encoded in the certificates (we have idp_x509, pkey and x509)

We're pretty sure the web app is configured correctly. Our IT team think ADFS is correct (but are checking).

My question is do the certificates encode this data, such that they would need swapping out if the hostname of the relying party were to change? If so, which certificate would it likely involve?


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.