Our field sales team is completely blocked after we updated the SAML IdP metadata in our SAP CX mobile sales configuration. Android users are getting authentication failures when trying to log in, while iOS users can access the app without issues.
The error appears right after the SAML redirect:
SAML Response validation failed
Invalid AudienceRestriction
Expected: https://mobile.sapcx.company.com
We refreshed the IdP metadata to add a new signing certificate, but now the AudienceRestriction validation is failing. The ACS URL configuration looks correct in both the IdP and SAP CX settings. This is impacting 200+ field sales reps who can’t access customer data or submit orders. Any guidance on what might be misconfigured?
Thanks for the quick response. I checked the entity ID in the IdP metadata and it matches our configuration. However, I noticed the metadata now includes multiple AudienceRestriction values. Could that be causing the Android app to fail validation while iOS passes?
Adding to what others said - the ACS URL configuration is critical here. After metadata refresh, your IdP might be sending responses to a different ACS endpoint. Check your SAML tracer logs on an Android device to see which ACS URL the IdP is posting to versus what SAP CX mobile expects. The Android app might have cached the old ACS URL configuration. Try clearing app data on a test device and re-authenticating.
I found the root cause when we had this exact issue last quarter. The problem is in how the SAML metadata refresh affects the AudienceRestriction validation on different platforms.
Issue Analysis:
Your IdP metadata refresh added a new signing certificate, but it also modified the audience restriction values. The Android SAML library validates ALL audience restrictions in strict order, while iOS is more lenient.
SAML Metadata Refresh Steps:
- In your IdP, verify the EntityDescriptor includes the correct audience:
<Audience>https://mobile.sapcx.company.com</Audience>
- Check SAP CX Mobile Configuration (Administration → Mobile Sales → SAML Settings):
AudienceRestriction Validation Fix:
3. In your IdP SAML assertion configuration, ensure only ONE audience restriction is specified
4. If multiple audiences are required, list them in priority order with mobile endpoint first
5. Re-download the IdP metadata and import it into SAP CX (don’t manually edit)
ACS URL Configuration:
6. Verify the AssertionConsumerService location in metadata matches your mobile app configuration
7. Update the mobile app configuration file to force refresh the SAML endpoints:
- For Android: Clear app data AND uninstall/reinstall to clear cached SAML config
- Push updated app configuration via MDM if available
- Test with SAML tracer on Android - you should see the response posting to the correct ACS URL with matching audience
Additional Checks:
- Verify your new signing certificate is properly imported into SAP CX trust store
- Check that the certificate chain is complete in the SAML response
- Ensure Android system time is synchronized (SAML assertions are time-sensitive)
After implementing these changes, have your Android users uninstall and reinstall the mobile app to clear all cached SAML configuration. The AudienceRestriction validation should then pass correctly. This resolved the issue for our 300+ mobile users within 24 hours of the fix.
That’s likely the issue. When you have multiple AudienceRestriction values, the SAML response must match at least one of them. Android’s SAML implementation might be checking against a different audience value than iOS. Go to your SAP CX Mobile Configuration and verify the Service Provider Entity ID matches exactly what’s in your IdP’s audience list. Also check if the metadata refresh changed the case sensitivity - I’ve seen ‘https’ vs ‘HTTPS’ cause failures on Android.
Cleared the app data on several test devices but still getting the same error. The SAML tracer shows the IdP is posting to the correct ACS URL. I’m going to compare the full SAML response between iOS and Android to see what’s different.