From 66ab8dafb3c956c13169bb5c9dc0fb4585b09d3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pekka=20P=C3=B6yry?= Date: Tue, 29 Jul 2025 13:43:54 +0300 Subject: [PATCH] Improve invalid audience error message Make the error message for invalid audience more descriptive by including the request's audience and the expected value. --- src/onelogin/saml2/response.py | 2 +- tests/src/OneLogin/saml2_tests/response_test.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index 5677ad9e..24834e5f 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -167,7 +167,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): # Checks audience valid_audiences = self.get_audiences() if valid_audiences and sp_entity_id not in valid_audiences: - raise OneLogin_Saml2_ValidationError("%s is not a valid audience for this Response" % sp_entity_id, OneLogin_Saml2_ValidationError.WRONG_AUDIENCE) + raise OneLogin_Saml2_ValidationError('Response audience "%s" does not contain SP entityId "%s"' % (", ".join(valid_audiences), sp_entity_id), OneLogin_Saml2_ValidationError.WRONG_AUDIENCE) # Checks the issuers issuers = self.get_issuers() diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 6249258b..e806adb5 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -1143,7 +1143,7 @@ def testIsInValidAudience(self): response_2 = OneLogin_Saml2_Response(settings, message) self.assertFalse(response_2.is_valid(request_data)) - self.assertIn("is not a valid audience for this Response", response_2.get_error()) + self.assertIn('Response audience "http://invalid.audience.com" does not contain SP entityId "http://stuff.com/endpoints/metadata.php"', response_2.get_error()) def testIsInValidAuthenticationContext(self): """