I have problems getting work "SAML2 Bearer Assertion profile for Oauth" within WSO2 API Manager. I'm trying to apply "Johann's Wall" How-to on API Manager (ver. 1.5) but running in the following error.

[2013-11-08 17:44:35,930] DEBUG - SAML2BearerGrantTypeHandler SAML Assertion Audience Restriction validation failed
[2013-11-08 17:44:36,024] DEBUG - AccessTokenIssuer Invalid Grant provided by the client, id=enfKWsilmCxdIwhYiINcoA2JKwka, user-name=admin to application=MyFlowChart
[2013-11-08 17:44:36,025] DEBUG - AccessTokenIssuer OAuth-Error-Code=invalid_grant client-id=enfKWsilmCxdIwhYiINcoA2JKwka grant-type=urn:ietf:params:oauth:grant-type:saml2-bearer scope=

Checking the code of org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantTypeHandler this error should only come up if none of the "Identity Provider Audience" entries in the configured "Trusted Identity Provider" matches the <saml:Audience> values within SAML assertion. But comparing the configuration and the SAML assertion (see below) for me everthing looks good.

Hopefully someone can help me out or give me hint want's going wrong...

Setup / Configuration

1.) Setup "Trusted Identity Providers" in API Manager (see screenshot)

2.) Creating a SAML2 Assertion via SAML2AssertionCreator.jar

<?xml version="1.0" encoding="UTF-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="mkfeiofmkjmjpicmdllnaapcmjlimjmajdiejiip" IssueInstant="2013-11-08T16:43:41.877Z" Version="2.0">
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">OAuthPlayground</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#mkfeiofmkjmjpicmdllnaapcmjlimjmajdiejiip">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/>
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>bNaQFYpcakb07xbUpUdVuSidvuA=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>gUe0mXTRPD79HTz7[...]</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIFrDCCBJSgAwIBA[...]</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2013-11-08T16:48:41.877Z" Recipient="https://sl02502.apps.eon.com:9443/oauth2endpoints/token"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2013-11-08T16:43:41.877Z" NotOnOrAfter="2013-11-08T16:48:41.877Z">
        <saml:AudienceRestriction>
            <saml:Audience>restriction</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2013-11-08T16:43:41.945Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        <saml:Attribute>
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">a</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>

3.) Running "curl" with base64 encoded SAML assertion against OAuth endpoint of API Manager

curl -k -X POST -u "enfKWsilmCxdIwhYiINcoA2JKwka:eEfmtoFRFyl3JIhMH1jM0bbXbkMa" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=PD94bWwgdm[...]0aW9uPg%3D%3D" https://sl02502.apps.eon.com:9445/oauth2/token   

The problem is in your SAML2 Assertion. You cannot find a Audience element which has the OAuth2 token endpoint as an audience. The only audience you have is "restriction". For the saml2-bearer grant type to work you need to have the OAuth2 token endpoint as an audience for the assertion.

What you need to do is when generating the SAML2 assertion using "SAML2AssertionCreator.jar" you need to specify multiple audiences using comma separated values. E.g. https://sl02502.apps.eon.com:9445/oauth2/token,restriction

In fact the only audience you need to get saml2-bearer grant type working is the token endpoint. I.e. you don't need to specify any audience at all in the 'Trusted Identity Provider' configuration. If you do specify any audience here, then you need to make sure those audiences are coming in the SAML2 Assertion. This is useful in scenarios where this SAML2 Assertion will be used by other relying parties in addition to the token endpoint. In your case if you don't have such requirement you could remove the audience called 'restriction' from both the 'Trusted Identity Provider' configuration and the assertion or if you need such an audience you must have it in both places.