SAML SP Initiated login not working for Saas Application

Question

SAML SP Initiated login not working for Saas Application

Anil Kumar Agrawal 25

I have integrated my application with Azure Active Directory. I am using Azure as IDP for my Saas application using SAML protocol. I am able to login in my application when initiating login through IDP. But login inited through my application (Service Provider) not working. I am receiving below error.

Error

Sorry, but we’re having trouble signing you in.

AADSTS7500525: There was an XML error in the SAML message at line 2, position 656. Verify that the XML content of the SAML messages conforms to the SAML protocol specifications.

Note : Same application is successfully integrated with other SAML IDPs like Okta, KeyCloak etc

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2023-10-04T10:52:09.9433333+00:00

Hi @Anil Kumar Agrawal

Thank you for reaching out!

I understand that you are facing an issue to login application by service provider and getting and error code AADSTS7500525.
May I know are you used any Compressed SAML request by using the compression methods.
If yes, Microsoft Entra ID does not support compressed SAML authentication requests, due to security concerns. Compressed requests can be tampered with more easily, which could lead to security vulnerabilities.

Reference: Azure AD SAML2 request rejected: AADSTS7500525 - Microsoft Q&A

Thanks
Akhilesh

Anil Kumar Agrawal 25

Hi Akhilesh,

Request is not compressed. My application (Service Provider) using POST Binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST).

This the request body
POST

RelayState: https://192.168.4.196:2029/saml/success?client_name=SAMLAzureIDPClient

SAMLRequest: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpBdXRoblJlcXVlc3QgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwczovLzE5Mi4xNjguNC4xOTY6MjAyOS9zYW1sL3N1Y2Nlc3M/Y2xpZW50X25hbWU9U0FNTEF6dXJlSURQQ2xpZW50IiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tLzczNzViMDk5LTAxZjQtNDc3YS05NzNkLWJlMjljYjJjNGM4NS9zYW1sMiIgRm9yY2VBdXRobj0iZmFsc2UiIElEPSJfbm13NDk0aTdwYXBmMmRqYnowbjFoaWR5czVuaGIxbG94eHFweWNjIiBJc1Bhc3NpdmU9ImZhbHNlIiBJc3N1ZUluc3RhbnQ9IjIwMjMtMTAtMDVUMDY6MjU6MzUuNTgyWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5IiBOYW1lUXVhbGlmaWVyPSJpbnRlcnJhb3Jpb25vdHQiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5pbnRlcnJhb3Jpb25vdHQ8L3NhbWwyOklzc3Vlcj48L3NhbWwycDpBdXRoblJlcXVlc3Q+

Here SAMLRequest is plain Base64 encoded string

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="https://192.168.4.196:2029/saml/success?client_name=SAMLAzureIDPClient"
                     Destination="https://login.microsoftonline.com/7375b099-01f4-477a-973d-be29cb2c4c85/saml2"
                     ForceAuthn="false"
                     ID="_nmw494i7papf2djbz0n1hidys5nhb1loxxqpycc"
                     IsPassive="false"
                     IssueInstant="2023-10-05T06:25:35.582Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  NameQualifier="interraorionott"
                  >interraorionott</saml2:Issuer>
</saml2p:AuthnRequest>

AuthnRequest Summary


AssertionConsumerServiceURL	https://192.168.4.196:2029/saml/success?client_name=SAMLAzureIDPClient
Destination	https://login.microsoftonline.com/7375b099-01f4-477a-973d-be29cb2c4c85/saml2
ForceAuthn	false
ID	_nmw494i7papf2djbz0n1hidys5nhb1loxxqpycc
IsPassive	false
IssueInstant	2023-10-05T06:25:35.582Z
ProtocolBinding	urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Version	2.0
Issuer	interraorionott

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2023-10-10T06:16:04.12+00:00

Hi @Anil Kumar Agrawal

This seems it require further troubleshooting, could you please share the fiddler trace of your request/response. Also, please send us an email on AZ community [at] Microsoft [dot] com referencing this issue with a subject line "ATTN: Akhilesh" along with you Azure subscription id and we will help you with alternative support options on this.

Anil Kumar Agrawal 25

Hi Akhilesh,

I found the issue.

Actually "NameQualifier" attribute in SAMLRequest was causing the issue. My SAMLRequest xml was as below

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://192.168.4.196:2029/saml/success?client_name=SAMLAzureIDPClient" Destination="https://login.microsoftonline.com/7375b099-01f4-477a-973d-be29cb2c4c85/saml2" ForceAuthn="false" ID="_7vv2gnttgby6vhdsakukbcqrdingpbqew2run83" IsPassive="false" IssueInstant="2023-10-05T11:24:52.980Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
	xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
	<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="interraorionott"
		xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">interraorionott
	</saml2:Issuer>
</saml2p:AuthnRequest>

Which was not working. After removing the "NameQualifier" attribute from SAMLRequest SP initiated authentication working properly.

So the valid SAMLRequest xml is as below

<saml2p:AuthnRequest AssertionConsumerServiceURL="https://192.168.4.196:2029/saml/success?client_name=SAMLAzureIDPClient" Destination="https://login.microsoftonline.com/7375b099-01f4-477a-973d-be29cb2c4c85/saml2" ForceAuthn="false" ID="_8230404c9fdc4f3ab8036f3e98fd2dd812d5b8f" IsPassive="false" IssueInstant="2023-10-05T11:16:32.904Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
	xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
	<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
		xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">interraorionott
	</saml2:Issuer>
</saml2p:AuthnRequest>

Accepted answer

1 additional answer

Your answer

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2023-10-04T10:52:09.9433333+00:00

Hi @Anil Kumar Agrawal

Thank you for reaching out!

I understand that you are facing an issue to login application by service provider and getting and error code AADSTS7500525.
May I know are you used any Compressed SAML request by using the compression methods.
If yes, Microsoft Entra ID does not support compressed SAML authentication requests, due to security concerns. Compressed requests can be tampered with more easily, which could lead to security vulnerabilities.

Reference: Azure AD SAML2 request rejected: AADSTS7500525 - Microsoft Q&A

Thanks
Akhilesh
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2023-10-10T06:16:04.12+00:00

Hi @Anil Kumar Agrawal

This seems it require further troubleshooting, could you please share the fiddler trace of your request/response. Also, please send us an email on AZ community [at] Microsoft [dot] com referencing this issue with a subject line "ATTN: Akhilesh" along with you Azure subscription id and we will help you with alternative support options on this.
Anil Kumar Agrawal 25 Reputation points

2023-10-10T06:49:43.29+00:00

Hi Akhilesh,

I found the issue.

Actually "NameQualifier" attribute in SAMLRequest was causing the issue. My SAMLRequest xml was as below

<?xml version="1.0" encoding="UTF-8"?> <saml2p:AuthnRequest AssertionConsumerServiceURL="https://192.168.4.196:2029/saml/success?client_name=SAMLAzureIDPClient" Destination="https://login.microsoftonline.com/7375b099-01f4-477a-973d-be29cb2c4c85/saml2" ForceAuthn="false" ID="_7vv2gnttgby6vhdsakukbcqrdingpbqew2run83" IsPassive="false" IssueInstant="2023-10-05T11:24:52.980Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="interraorionott" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">interraorionott </saml2:Issuer> </saml2p:AuthnRequest>

Which was not working. After removing the "NameQualifier" attribute from SAMLRequest SP initiated authentication working properly.

So the valid SAMLRequest xml is as below

<saml2p:AuthnRequest AssertionConsumerServiceURL="https://192.168.4.196:2029/saml/success?client_name=SAMLAzureIDPClient" Destination="https://login.microsoftonline.com/7375b099-01f4-477a-973d-be29cb2c4c85/saml2" ForceAuthn="false" ID="_8230404c9fdc4f3ab8036f3e98fd2dd812d5b8f" IsPassive="false" IssueInstant="2023-10-05T11:16:32.904Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">interraorionott </saml2:Issuer> </saml2p:AuthnRequest>

Answer 1

Hi @Anil Kumar Agrawal

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

Issue:

In the process of application integration users is able to login with the application in initiating login through IDP. Though login initiated through application (Service Provider) getting following error

Error:
Sorry, but we’re having trouble signing you in. AADSTS7500525: There was an XML error in the SAML message at line 2, position 656. Verify that the XML content of the SAML messages conforms to the SAML protocol specifications.

Solution

To resolve the issue by removing the "NameQualifier" attribute from SAML Request which is from Service Provider. The valid SAML Request is below.

If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

I hope this helps!

If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

Answer 2

Valid SAML Request XML (after removing attribute "NameQualifier")

<saml2p:AuthnRequest AssertionConsumerServiceURL="https://192.168.4.196:2029/saml/success?client_name=SAMLAzureIDPClient" Destination="https://login.microsoftonline.com/7375b099-01f4-477a-973d-be29cb2c4c85/saml2" ForceAuthn="false" ID="_8230404c9fdc4f3ab8036f3e98fd2dd812d5b8f" IsPassive="false" IssueInstant="2023-10-05T11:16:32.904Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
	xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
	<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
		xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">interraorionott
	</saml2:Issuer>
</saml2p:AuthnRequest>

Share via

SAML SP Initiated login not working for Saas Application

1 additional answer

Your answer