Login with SAML 2.0 in spring boot okta, error - Condition '{urn:oasis:names:tc:SAML:2.0:assertion}AudienceRestriction' of type 'null' in assertion

Question

I have created a SAML 2.0 login application in spring boot with Okta IDP. After successful login in Okta I am getting below error.

Invalid assertion [id19996480044761791773801931] for SAML response [id19996480042980701198640159]: Condition '{urn:oasis:names:tc:SAML:2.0:assertion}AudienceRestriction' of type 'null' in assertion 'id19996480044761791773801931' was not valid.: None of the audiences within Assertion 'id19996480044761791773801931' matched the list of valid audiances

My application.yml looks like:

spring:
  security:
    saml2:
      relyingparty:
        registration:
          okta-saml:
            assertingparty:
              entity-id: http://www.okta.com/exkar5e4vbGQS6kYS697
              verification.credentials:
                - certificate-location: "classpath:saml-certificate/okta.cert"
              singlesignon.url: https://trial-6443640.okta.com/app/trial-6443640_appsaml1_1/exkar5e4vbGQS6kYS697/sso/saml
              singlesignon.sign-request: false
              audience: http://localhost:8080/login/saml2/service-provider-metadata/okta-saml
              
logging:
  file: logs/application-debug.log
  pattern:
    console: "%d %-5level %logger : %msg%n"
    file: "%d %-5level [%thread] %logger : %msg%n"
  level:
    org.springframework.web: DEBUG
    org.springframework.security: TRACE
    
    server:
  port : 8080

SecurityConfiguration class:

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
      // This class is deprecated, but you have to use it if you're using OpenSAML < 4.0
      OpenSamlAuthenticationProvider authenticationProvider = new OpenSamlAuthenticationProvider();
      authenticationProvider.setAssertionValidator(OpenSamlAuthenticationProvider.createDefaultAssertionValidator());
      authenticationProvider.setResponseAuthenticationConverter(OpenSamlAuthenticationProvider.createDefaultResponseAuthenticationConverter());

      /*httpSecurity.authorizeRequests(authz -> authz.antMatchers("/login/saml2/sso/*").permitAll()
              .antMatchers("/login/saml2/service-provider-metadata/*").permitAll()
                .anyRequest().authenticated())*/
      httpSecurity.authorizeRequests(authz -> authz.anyRequest().authenticated())
        .saml2Login(saml2 -> saml2.authenticationManager(new ProviderManager(authenticationProvider)));
    }

    private Converter<OpenSamlAuthenticationProvider.ResponseToken, Saml2Authentication> groupsConverter() {

        Converter<org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken, Saml2Authentication> delegate =
                OpenSamlAuthenticationProvider.createDefaultResponseAuthenticationConverter();

        return (responseToken) -> {
            Saml2Authentication authentication = delegate.convert(responseToken);
            Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
            List<String> groups = principal.getAttribute("groups");
            Set<GrantedAuthority> authorities = new HashSet<>();
            if (groups != null) {
                groups.stream().map(SimpleGrantedAuthority::new).forEach(authorities::add);
            } else {
                authorities.addAll(authentication.getAuthorities());
            }
            return new Saml2Authentication(principal, authentication.getSaml2Response(), authorities);
        };
    }

This is the controller:

@SpringBootApplication
@Controller
public class SpringSecuritySaml2Application {

    public static void main(String[] args) {
        SpringApplication.run(SpringSecuritySaml2Application.class, args);
    }
    @RequestMapping("/")
    public String index() {
        return "home";
    }

    @RequestMapping("/secured/hello")
    public String hello(@AuthenticationPrincipal Saml2AuthenticatedPrincipal principal, Model model) {
        model.addAttribute("name", principal.getName());
        return "hello";
    }

}

After entering okta credentials in login page it is redirected to app landing page but showing error page: http://localhost:8080/login?error

Trace log is as follows:

2024-01-24 12:28:34,202 DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache : Saved request http://localhost:8080/ to session
2024-01-24 12:28:34,202 DEBUG org.springframework.security.web.DefaultRedirectStrategy : Redirecting to http://localhost:8080/saml2/authenticate/okta-saml
2024-01-24 12:28:34,202 TRACE org.springframework.security.web.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2024-01-24 12:28:34,202 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2024-01-24 12:28:34,202 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2024-01-24 12:28:34,202 DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2024-01-24 12:28:34,226 TRACE org.springframework.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@3c25cfe1, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@1d3c112a, org.springframework.security.web.context.SecurityContextPersistenceFilter@1b57c345, org.springframework.security.web.header.HeaderWriterFilter@18a096b5, org.springframework.security.web.csrf.CsrfFilter@6c977dcf, org.springframework.security.web.authentication.logout.LogoutFilter@8054fe2, org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter@5ac53c06, org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter@653fb8d1, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@5fdfe8cf, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@2a140ce5, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@902fdbe, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@3f9b7fe1, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1f71194d, org.springframework.security.web.session.SessionManagementFilter@1d4f5506, org.springframework.security.web.access.ExceptionTranslationFilter@28cd2c2, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@61149fa5]] (1/1)
2024-01-24 12:28:34,228 DEBUG org.springframework.security.web.FilterChainProxy : Securing GET /saml2/authenticate/okta-saml
2024-01-24 12:28:34,228 TRACE org.springframework.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/16)
2024-01-24 12:28:34,228 TRACE org.springframework.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/16)
2024-01-24 12:28:34,228 TRACE org.springframework.security.web.FilterChainProxy : Invoking SecurityContextPersistenceFilter (3/16)
2024-01-24 12:28:34,228 TRACE org.springframework.security.web.context.HttpSessionSecurityContextRepository : Did not find SecurityContext in HttpSession 04B899A94DBDEAED632A55E558D43A8B using the SPRING_SECURITY_CONTEXT session attribute
2024-01-24 12:28:34,228 TRACE org.springframework.security.web.context.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
2024-01-24 12:28:34,228 DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2024-01-24 12:28:34,228 TRACE org.springframework.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/16)
2024-01-24 12:28:34,229 TRACE org.springframework.security.web.FilterChainProxy : Invoking CsrfFilter (5/16)
2024-01-24 12:28:34,229 TRACE org.springframework.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match And [CsrfNotRequired [TRACE, HEAD, GET, OPTIONS], Not [Or [Ant [pattern='/login/saml2/sso/{registrationId}']]]]
2024-01-24 12:28:34,229 TRACE org.springframework.security.web.FilterChainProxy : Invoking LogoutFilter (6/16)
2024-01-24 12:28:34,229 TRACE org.springframework.security.web.authentication.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2024-01-24 12:28:34,229 TRACE org.springframework.security.web.FilterChainProxy : Invoking Saml2WebSsoAuthenticationRequestFilter (7/16)
2024-01-24 12:28:34,229 TRACE org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver : Attempting to resolve from Ant [pattern='/**/{registrationId}'] since registrationId is null
2024-01-24 12:28:34,229 DEBUG org.springframework.security.saml2.provider.service.web.DefaultSaml2AuthenticationRequestContextResolver : Creating SAML 2.0 Authentication Request for Asserting Party [okta-saml]
2024-01-24 12:28:34,230 TRACE org.springframework.security.web.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2024-01-24 12:28:34,230 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2024-01-24 12:28:34,231 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2024-01-24 12:28:34,231 DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2024-01-24 12:28:35,112 TRACE org.springframework.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@3c25cfe1, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@1d3c112a, org.springframework.security.web.context.SecurityContextPersistenceFilter@1b57c345, org.springframework.security.web.header.HeaderWriterFilter@18a096b5, org.springframework.security.web.csrf.CsrfFilter@6c977dcf, org.springframework.security.web.authentication.logout.LogoutFilter@8054fe2, org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter@5ac53c06, org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter@653fb8d1, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@5fdfe8cf, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@2a140ce5, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@902fdbe, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@3f9b7fe1, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1f71194d, org.springframework.security.web.session.SessionManagementFilter@1d4f5506, org.springframework.security.web.access.ExceptionTranslationFilter@28cd2c2, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@61149fa5]] (1/1)
2024-01-24 12:28:35,112 DEBUG org.springframework.security.web.FilterChainProxy : Securing POST /login/saml2/sso/okta-saml
2024-01-24 12:28:35,112 TRACE org.springframework.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/16)
2024-01-24 12:28:35,112 TRACE org.springframework.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/16)
2024-01-24 12:28:35,112 TRACE org.springframework.security.web.FilterChainProxy : Invoking SecurityContextPersistenceFilter (3/16)
2024-01-24 12:28:35,112 TRACE org.springframework.security.web.context.HttpSessionSecurityContextRepository : Did not find SecurityContext in HttpSession 04B899A94DBDEAED632A55E558D43A8B using the SPRING_SECURITY_CONTEXT session attribute
2024-01-24 12:28:35,112 TRACE org.springframework.security.web.context.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
2024-01-24 12:28:35,112 DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2024-01-24 12:28:35,112 TRACE org.springframework.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/16)
2024-01-24 12:28:35,112 TRACE org.springframework.security.web.FilterChainProxy : Invoking CsrfFilter (5/16)
2024-01-24 12:28:35,113 TRACE org.springframework.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match And [CsrfNotRequired [TRACE, HEAD, GET, OPTIONS], Not [Or [Ant [pattern='/login/saml2/sso/{registrationId}']]]]
2024-01-24 12:28:35,113 TRACE org.springframework.security.web.FilterChainProxy : Invoking LogoutFilter (6/16)
2024-01-24 12:28:35,113 TRACE org.springframework.security.web.authentication.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2024-01-24 12:28:35,113 TRACE org.springframework.security.web.FilterChainProxy : Invoking Saml2WebSsoAuthenticationRequestFilter (7/16)
2024-01-24 12:28:35,113 TRACE org.springframework.security.web.FilterChainProxy : Invoking Saml2WebSsoAuthenticationFilter (8/16)
2024-01-24 12:28:35,114 TRACE org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver : Attempting to resolve from Ant [pattern='/**/{registrationId}'] since registrationId is null
2024-01-24 12:28:35,120 TRACE org.springframework.security.authentication.ProviderManager : Authenticating request with OpenSamlAuthenticationProvider (1/1)
2024-01-24 12:28:35,185 DEBUG org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider : Processing SAML response from http://www.okta.com/exkar5e4vbGQS6kYS697
2024-01-24 12:28:35,274 DEBUG org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider : Found 1 validation errors in SAML response [id3210990765450188248512483]: [[invalid_assertion] Invalid assertion [id32109907656084221846235013] for SAML response [id3210990765450188248512483]: Condition '{urn:oasis:names:tc:SAML:2.0:assertion}AudienceRestriction' of type 'null' in assertion 'id32109907656084221846235013' was not valid.: None of the audiences within Assertion 'id32109907656084221846235013' matched the list of valid audiances]
2024-01-24 12:28:35,275 TRACE org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter : Failed to process authentication request
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException: Invalid assertion [id32109907656084221846235013] for SAML response [id3210990765450188248512483]: Condition '{urn:oasis:names:tc:SAML:2.0:assertion}AudienceRestriction' of type 'null' in assertion 'id32109907656084221846235013' was not valid.: None of the audiences within Assertion 'id32109907656084221846235013' matched the list of valid audiances
    at org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.createAuthenticationException(OpenSamlAuthenticationProvider.java:699)
    at org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.process(OpenSamlAuthenticationProvider.java:519)
    at org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.authenticate(OpenSamlAuthenticationProvider.java:447)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)

Please let me know why audience URI is coming wrong. My okta configuration: