AccessTrace AI
Log inCreate account
Sample Analysis Report

SAML ACS and audience mismatch

SAML · saml_response · saml_request · saml_metadata · SAMPLE

ConfidenceHIGHSample assessment
Suspected Issue

SP and IdP configuration are out of sync

2 findings
What this is

This is an example report using sample evidence. It shows the kind of output AccessTrace generates after a user analyzes their own redacted evidence.

Analyze your own evidence
Sample report actions

Copy sample language

These actions show the kind of ticket and vendor language a saved report can produce.

Technical Findings

What AccessTrace would flag

1

AuthnRequest ACS URL is not present in SP metadata

HIGHHIGH confidence

The service provider is requesting an assertion consumer endpoint that is not listed in trusted metadata. Many IdPs reject this because the requested endpoint is not trusted.

Recommended remediation

Update the SP metadata or application SAML configuration so the requested ACS URL exactly matches a trusted metadata endpoint.

Sample evidence
  • Request ACS URL: https://salesforce.example.com/saml/acs/NEW
  • Metadata ACS URL: https://salesforce.example.com/saml/acs
2

Assertion audience does not match SP entityID

HIGHHIGH confidence

The assertion appears intended for a different audience than the service provider entityID in metadata.

Recommended remediation

Confirm the SP entityID configured in the application and metadata, then regenerate or update metadata if needed.

Sample evidence
  • Assertion audience: https://salesforce.example.com/saml/metadata-old
  • SP metadata entityID: https://salesforce.example.com/saml/metadata
Sample Generated Report

Troubleshooting narrative

Executive Summary AccessTrace identified a likely SAML configuration mismatch. The AuthnRequest is asking the IdP to send the response to an ACS URL that is not present in the trusted SP metadata, and the assertion audience does not match the SP entityID. Most Likely Root Cause The SP and IdP are not using the same SAML metadata/configuration. This commonly occurs after a vendor changes an ACS URL, migrates tenants, or updates entityID values without a coordinated metadata refresh. Vendor-Facing Message Please confirm the ACS URL and SP entityID currently configured for this tenant. The request shows an ACS URL that does not match the trusted metadata, and the assertion audience appears to reference a different SP entityID.