SAML-Toolkits · quantus · Jul 29, 2025
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
@@ -167,7 +167,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 # Checks audience
                 valid_audiences = self.get_audiences()
                 if valid_audiences and sp_entity_id not in valid_audiences:
-                    raise OneLogin_Saml2_ValidationError("%s is not a valid audience for this Response" % sp_entity_id, OneLogin_Saml2_ValidationError.WRONG_AUDIENCE)
+                    raise OneLogin_Saml2_ValidationError('Response audience "%s" does not contain SP entityId "%s"' % (", ".join(valid_audiences), sp_entity_id), OneLogin_Saml2_ValidationError.WRONG_AUDIENCE)
 
                 # Checks the issuers
                 issuers = self.get_issuers()

diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1143,7 +1143,7 @@ def testIsInValidAudience(self):
         response_2 = OneLogin_Saml2_Response(settings, message)
 
         self.assertFalse(response_2.is_valid(request_data))
-        self.assertIn("is not a valid audience for this Response", response_2.get_error())
+        self.assertIn('Response audience "http://invalid.audience.com" does not contain SP entityId "http://stuff.com/endpoints/metadata.php"', response_2.get_error())
 
     def testIsInValidAuthenticationContext(self):
         """