API Gateway 10.11 | Administering API Gateway | Operating API Gateway | System Settings | SAML SSO | How to enable SAML SSO in API Gateway? | Troubleshoot tips for SSO configuration
 
Troubleshoot tips for SSO configuration
Issue
Symptom
Solution
org.opensaml.common.SAMLException: Local entity is not the intended audience of the assertion in at least one AudienceRestriction.
The audience URL in the SAML assertion does not match with the Service provider identity in API Gateway.
Make sure the Service provider identity in API Gateway matches with the audience URL.
If you have enabled Enforce SSO login by default, and if you have provided incorrect information while configuring SAML SSO, you cannot update the SAML SSO configuration in API Gateway as you are redirected to the SSO Login page directly.
In such case, you can login into API Gateway using the http(s)://hostname: portnumber/apigatewayui/login?usesso=false URL and update the SSO configuration with correct details.
Note:
If there is any other exception, check the sag_osgi.log at <SAGInstallDir>\profiles\IS_default\logs directory to trouble shoot.
Limitation
When you log into API Gateway using SSO, both the IdP and API Gateway sessions are created. But when you log out from API Gateway, only the API Gateway session gets terminated, the IdP session gets terminated based on its session timeout configuration. API Gateway does not support Single Logout (SLO).