I'm using the Systainsys SAML2 owin library in a .Net 4.8. After enabling logging I get this response logged. I don't understand what the issue is I'm redacting some of the stuff in the SAML response JIC
Saml2 Authentication failed. The received SAML data is
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Destination="https://####.####.com/Saml2/Acs" ID="_c68e19d777a7a13bab9ff8d54e83ad54" InResponseTo="id4cced0bf2ffe4967a605d630433a5b72" IssueInstant="2020-12-29T08:34:21Z" Version="2.0">
<saml:Issuer>https://ut1-www.is.sg.######.com/_fed/1/244023058963</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_c68e19d777a7a13bab9ff8d54e83ad54">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>gDIpQQwjNoeuy99R70CK3foRdds=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>quIekezIAu/n4BzOFuhFLqGhV4s80O0dPeogYufJq/oz6hxFqVETwnZ4ogd+62gyAX7EpRQ2q/NT
EdnnonD7RIVK89E5/K+LXjNWpXGxYFOmyrjUVCpWpo4WoNh720TkRwAAOnDSSnimb/EZf/c74dFp
4O5oNPC2r1uYYZ2ka6Zz0BcwnDIkFnJ60Q90ooJlYKZyBgGWpia7iyr3B61FCb/4bd6XWo5f3OZX
+mUPkacouj8nvYVAnbvOZZd+jXsOEkPvBCiCT+iEOrd4zzGkdPnowN9/eDljGYmBvT7GdqkrDIN6
2UMiBArIe0lk9LkhLNSHWl0o4Fd7ca6i96tZeA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDA....</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion ID="_4c8ae5013fa6e1c8ba67d5274cec9bbd" IssueInstant="2020-12-29T08:34:21Z" Version="2.0">
<saml:Issuer>https://ut1-www.is.sg.#####.com/_fed/1/244023058963</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">######</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="id4cced0bf2ffe4967a605d630433a5b72" NotOnOrAfter="2020-12-29T08:39:21Z" Recipient="https://#####.#####.com/Saml2/Acs" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-12-29T08:34:21Z" NotOnOrAfter="2020-12-29T08:39:21Z">
<saml:AudienceRestriction>
<saml:Audience>https://####.#####.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-12-29T08:34:21Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
Edit
After enabling the Katana logging I got this error
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'https://.soterion.com/SAML2'. Did not match: validationParameters.ValidAudience: 'https://.soterion.com/Saml2' or validationParameters.ValidAudiences: 'null'. at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) in C:\agent2_work\15\s\src\Microsoft.IdentityModel.Tokens\Validators.cs:line 108 at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2SecurityToken samlToken, TokenValidationParameters validationParameters) in C:\agent2_work\15\s\src\Microsoft.IdentityModel.Tokens.Saml\Saml2\Saml2SecurityTokenHandler.cs:line 948
The Owin library is very non-friendly when troubleshooting. Enable the Katana logging to get some more details.