Login failure with the reason https://%cpm servername%/remote_auth/metadata is not a valid audience for this Response (invalid_response) ​

Login failure with the reason https://%cpm servername%/remote_auth/metadata is not a valid audience for this Response (invalid_response) ​

This error can occur for several reasons when trying to implement IDP/ ADFS integration with Cloud Protection Manager. This document will detail what to check in Cloud Protection Manager and on the IDP side to resolve this.

Excerpt from cpm_server#.log:
ERROR:  complete_directory_service_signin(.\cpmserver\cpm\additional_views.py:1269)  login failed. reason: https://%cpm servername%/remote_auth/metadata is not a valid audience for this Response (invalid_response) .

NOTE: This error can also contain the server's IP address in the error above.

Common causes of the login failure with an invalid Audience message are:

1. Using a mix of IP address and FQDN
Please ensure that you do not have a a configuration setting that is using IP address of the IDP server or CPM server one side of the configuration while using FQDN on
the other. You can verify settings on the CPM side by checking the General Settings, Identity Provider Section.

Please ensure you are not mixing using IP address in the CPM IP or DNS Name Field and on the Okta/IDP side.
To correct the error re enter the CPM IP or DNS name in CPM and Hit The Apply Button. Please  verify connection using the  Test Connection Button. You should get a successful connection then hit the Close Button.

NOTE: Make sure that the CPM IP or DNS field is using the same FQDN or IP Address that is defined on the IDP side. Do not mix the settings or errors will occur. 
On the IDP side for Okta /IDP or ADFS please check the entry for the  "Audience Restriction", below is a sample configuration from Okta SAML settings.

2.Adding additional characters or null characters:
Please carefully enter the URL addresses for the "Audience Restriction" on the IDP side. Make sure if you are copying and pasting a URL into either CPM or IDP side that there are no preceding or following spaces or other characters in the URL line. Re enter the URL's manually or remove the space either at the end or the beginning of the URL links:

The URL's for the following in Okta must be correct format:
Single Sign On URL       https://<CPFQDN>/remote_auth_/complete_login/
recipient URL                 https://<CPFQDN>/remote_auth/complete_login/
Destination URL            https://<CPM FQDN>/remote_auth/complete_login/
Audience Restriction    https://<CPFQDN>/remote_auth/metadata

NOTE: The CPM FQDN= the CPM instance IP address or FQDN, please put the actual CPM address information.

You can correct that by removing any extra "/" or any null characters. If the error persists consider typing the URL in manually.

A. On the Okta side check you settings by logging into the Otka console and going under my Applications, then click on " CPM".
NOTE: This data you are verifying would have been entered into CPM General Settings  Identity Provider. these steps show where they would have been taken from in OKTA.

B. Then select the Sign On tab. 

C.  Click on View Setup Instructions.
Then verify the following Fields are correctly match the settings in CPM Server either by using the FQDN or the IP Address.
Identity Provider Single-ON URL:
Identity Provider Single Logout URL:
Identity Provider Issuer:

Note: The Identity issuer from OKTA is equal to the Entity ID  field in CPM.

D. Compare the settings above to CPM Manager General Settings, Identity Provider section.

E. Correct the setting as needed and retest the login. 
If the above does not correct the error please open a support issue and also include the CPM logs which you can follow the directions to gather the logs at this link:

In Addition to save time when you open a Support ticket please gather these additional items:
1. Please send a copy of the error, with a description of when you receive it.
2. Copy of the error when you hit the Test Connection button in CPM Identity Provider. 
3. Please provide screenshots of the Identity Provider settings and a screenshot of the IDP side that show how you configured it.