SecurityTokenValidator throws "IDX10214: Audience validation failed." during WS-Federation auth but audience is present in the token.

[SeminDM]

Hello! I want to use WS-Federation for authentication by Azure AD.

I have this code is Startup.cs

foreach (var socket in federationSockets)
{
    var metadata = socket.ServerUri;
    var wtrealm = socket.RelyingPartyIdentifier;
    var host = serverConfig.ServerAddress
    var wreply = $"{host}/Home/LoginByFederationService/channel={socket.Id}";

    app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
    {
        Wtrealm = wtrealm,
        MetadataAddress = metadata,
        AuthenticationType = socket.Id,
        Wreply = wreply,
        SignOutWreply = host
    });
}

This code works correctly for auth by ADFS, but in case of Azure AD I have this error: IDX10214: Audience validation failed. Audiences: 'spn:2c855e3f-...a17'. Did not match: validationParameters.ValidAudience: '2c855e3f-...a17' or validationParameters.ValidAudiences: 'null'. I guess problem is in "spn:" preffix before audience in the SAML token. Why "spn:" is added to the audience value?

Thank you!

[SeminDM]

Like the Issuer value, the Audience value must exactly match one of the service principal names that represents the cloud service in Azure AD. However, if the value of the Issuer element is not a URI value, the Audience value in the response is the Issuer value prefixed with spn:

reference