Hello All -
I’m working on Terraform Enterprise - Keycloak integration using SAML for SSO. I’m following IdP initiated authentication workflow. I see that TFE provides the following 3 URLs:
- ACS Consumer (Recipient) URL: https://{my-tfe-host}/users/saml/auth
- Metadata (Audience) URL : https://{my-tfe-host}/users/saml/metadata
- NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
After successful authentication from keycloak, I see the following error when the browser re-directs to TFE.
CONFIGURATION ERROR: https://{my-tfe-host}/users/saml/metadata is not a valid audience for this Response - Valid audiences: terraform
I’m not sure how to setup audience configuration in Keycloak, since I didn’t see any related property in keycloak client settings.
Please find below my keycloak client configuration.
- Client ID: terraform
- Client Protocol: SAML
- Name ID Format: email
- IDP Initiated SSO URL Name: terraform
- Assertion Consumer Service POST Binding URL: https://{my-tfe-host}/users/saml/auth
- Assertion Consumer Service Redirect Binding URL:
- Root URL:
- Valid Redirect URIs:
- Base URL:
- Master SAML Processing URL:
- IDP Initiated SSO Relay State:
- Logout Service POST Binding URL:
- Logout Service Redirect Binding URL:
Any help or pointers to fix this error would be highly appreciated. Thank you!