Audience configuration error

Hello All -

I’m working on Terraform Enterprise - Keycloak integration using SAML for SSO. I’m following IdP initiated authentication workflow. I see that TFE provides the following 3 URLs:

  • ACS Consumer (Recipient) URL: https://{my-tfe-host}/users/saml/auth
  • Metadata (Audience) URL : https://{my-tfe-host}/users/saml/metadata
  • NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

After successful authentication from keycloak, I see the following error when the browser re-directs to TFE.

CONFIGURATION ERROR: https://{my-tfe-host}/users/saml/metadata is not a valid audience for this Response - Valid audiences: terraform

I’m not sure how to setup audience configuration in Keycloak, since I didn’t see any related property in keycloak client settings.

Please find below my keycloak client configuration.

  • Client ID: terraform
  • Client Protocol: SAML
  • Name ID Format: email
  • IDP Initiated SSO URL Name: terraform
  • Assertion Consumer Service POST Binding URL: https://{my-tfe-host}/users/saml/auth
  • Assertion Consumer Service Redirect Binding URL:
  • Root URL:
  • Valid Redirect URIs:
  • Base URL:
  • Master SAML Processing URL:
  • IDP Initiated SSO Relay State:
  • Logout Service POST Binding URL:
  • Logout Service Redirect Binding URL:

Any help or pointers to fix this error would be highly appreciated. Thank you!

Take a look at, let us know if it helped.

Thank you! Yes, the document helped in better understanding ‘audience’ in keycloak context, which helped me to troubleshoot this issue. In my case, I figured that there were 2 different attributes of the client in keycloak (IdP) - Name and client ID. The audience URL advertised Terraform Enterprise (SP) was supposed to be set in client ID field, which I was missing.

Appreciate your response here.