AADSTS500088: SAML Assertion is missing the required 'MajorVersion' Attribute.

Question

Hi,

Good morning!

Recently, we have migrated to MSAL4J (msal4j - 1.13.2) from ADAL4J and also upgraded ms-jdbc driver to 11.2.0 from 6.8.x. After this upgrade, our java application started to fail with below error while authenticating the user on AzureSql DB.

If I revert our application to previous version, every thing is working with the same user (with ms-jdbc 6.8 and adal4j). I am not sure what I am missing here.

FYI - We have a java standalone application to perform operations on Azure SQL. We are using ActiveDirectoryPassword authentication to connect to our Azure Sql instance.

Thanks in advance and appreciated your help.

Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: Failed to authenticate the user aoxer@humana.com in Active Directory (Authentication=ActiveDirectoryPassword). AADSTS500088: SAML Assertion is missing the required MajorVersion Attribute.
Trace ID: f45c1c30-5d5b-4f61-8981-52b3088e6401
Correlation ID: 6c3d2e85-ac7d-4be1-a16b-0612cd3df306
Timestamp: 2022-11-11 17:37:54Z
at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:240)
at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getSqlFedAuthToken(SQLServerMSAL4JUtils.java:68)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.getFedAuthToken(SQLServerConnection.java:5442)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.onFedAuthInfo(SQLServerConnection.java:5415)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.processFedAuthInfo(SQLServerConnection.java:5302)
at com.microsoft.sqlserver.jdbc.TDSTokenHandler.onFedAuthInfo(tdsparser.java:306)
at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:126)
at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:37)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:6295)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:4907)
at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:4845)
at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7627)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:3912)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3358)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2950)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2790)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1663)
at com.microsoft.sqlserver.jdbc.SQLServerDataSource.getConnectionInternal(SQLServerDataSource.java:1385)
at com.microsoft.sqlserver.jdbc.SQLServerDataSource.getConnection(SQLServerDataSource.java:97)
at com.snaplogic.snap.api.sql.accounts.AzureSqlActiveDirectoryAccount.connect(AzureSqlActiveDirectoryAccount.java:108)
... 20 more
Caused by: java.util.concurrent.ExecutionException: java.lang.RuntimeException: AADSTS500088: SAML Assertion is missing the required 'MajorVersion' Attribute.
Trace ID: f45c1c30-5d5b-4f61-8981-52b3088e6401
Correlation ID: 6c3d2e85-ac7d-4be1-a16b-0612cd3df306
Timestamp: 2022-11-11 17:37:54Z
at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:238)
... 39 more
Caused by: java.lang.RuntimeException: AADSTS500088: SAML Assertion is missing the required 'MajorVersion' Attribute.
Trace ID: f45c1c30-5d5b-4f61-8981-52b3088e6401
Correlation ID: 6c3d2e85-ac7d-4be1-a16b-0612cd3df306
Timestamp: 2022-11-11 17:37:54Z
at com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils.getCorrectedException(SQLServerMSAL4JUtils.java:230)
... 39 more
Reason: Connection Error, AADSTS500088: SAML Assertion is missing the required 'MajorVersion'
Attribute.
Trace ID: f45c1c30-5d5b-4f61-8981-52b3088e6401
Correlation ID:
6c3d2e85-ac7d-4be1-a16b-0612cd3df306
Timestamp: 2022-11-11 17:37:54Z
Resolution: Please address message and check server status and retry

Answer 1

Hi @Sankarbala ,

Thanks for your post and I am sorry to hear that you are facing this issue. I did see another customer reporting something similar, so I have reached out to the product team to confirm if there is any breaking change.

In the meantime though, I recommend confirming that your configurations match the MSAL application configuration guidelines if you have not already verified this information. I have seen this error before when a user had configured https://login.microsoftonline.com/common/oauth2/nativeclient as the Redirect URI when it should have been https://localhost and was using .NET Core.

The configurations for each Platform are documented here: Client application configuration (MSAL) - Microsoft identity platform | Microsoft Learn

Please confirm that you have the proper Redirect URI configured for your app registration and make sure that the prerequisites in the article are followed.

If you still face this error after updating those, let me know and we can collect some logs and troubleshoot. I will also let you know when I have information from the product team.

-

If the information helped you, please Accept the answer. This will help us and other community members as well.

Answer 2

Update:

It looks like this might be related to a recent bug on MSAL's side if Saxon is registered as the XSLT processor. There is a related thread here: Access token cannot be retrieved if Saxon is default transformer

If you are using Saxon, you will either need to remove the library from your project, wait for MSAL to release a fix, or use an alternative to Saxon.