https://github.com/osquery/osquery logo
#fleet
Title
# fleet
m

Mike S.

03/23/2023, 3:54 PM
Good morning team! I'm working on Okta integration today and am running into this error: Mar 23 153519 <hostname> fleet[5941]: {"component":"http","err":"response validation failed: wrong audience:fleet","level":"error","method":"POST","took":"8.576283ms","ts":"2023-03-23T153519.891266573Z","uri":"/api/v1/fleet/sso/callback"} I saw in a previous post where this appears to be an issue with the entity ID. After looking at the metadata, it looks like the Entity ID in Fleet and the metadata are identical. Has anyone else run into this?
k

Kathy Satterlee

03/23/2023, 4:14 PM
Hey @Mike S.! It definitely sounds like the Entity ID is the most likely culprit. Those are case-sensitive, could that be a factor?
m

Mike S.

03/23/2023, 4:15 PM
Not that I can tell... I copied/pasted it, but I will double check that!
And hi @Kathy Satterlee!
z

zwass

03/23/2023, 4:48 PM
m

Mike S.

03/23/2023, 5:28 PM
It does match that so we should be good there.
z

zwass

03/23/2023, 5:37 PM
Do you have
Entity ID
set to
fleet
in the Fleet SSO config?
m

Mike S.

03/23/2023, 5:38 PM
Yes
z

zwass

03/23/2023, 7:28 PM
I notice the SAML you shared has an
saml2:Assertion
at the topmost level rather than a
saml2p:Response
or
samlp:Response
at the top level. I think that's probably the issue. Any idea why that would be? See some example responses at https://www.samltool.com/generic_sso_res.php
The examples in Okta's docs show the same top level items that we expect (but your response doesn't have) as well: https://developer.okta.com/docs/guides/saml-tracer/main/
5 Views