This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 31%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello,
I have simple SAML app that I want to get into from one Azure-AD joined Windows 10 device.
So when the app redirects my browser to Azure-AD, the app wants to do silent authentication.
Hence the app is sending isPassive=true in the SAML request.
Everything looks logical expect that, there is NO account in the cookie.
The only account that I am operating with is the PRT
So I was in impression that Azure-AD will use the incoming PRT with the SAML request and get the SAML-assertion out for the app.
Unfortunately AAD is not doing that way.
AAD is erroring out, saying that passive form is NOT possible because there is NO ACCOUNT in the cookie.
My question is, how can app instructs silent-authentication in the request and instructs AAD to use the PRT ??
Thanks.
Just forget to tell that above issue is ONLY ON CHROME
I am getting AADSTS50058 on Chrome. I am NOT getting this error on Edge while hitting EXACT SAME URL shown below.
https://login.microsoftonline.com/5abbc4c8-c6a0-4211-b75f-b372350510/oauth2/v2.0/authorize?client_id=309426cc-4483-4ee5-aba9-a057a4d49938
&response_type=code&scope=api://11adcfe4-5b3d-47c2-82c5-2654c70e179c/myscope1 offline_access&redirect_uri=https://jwt.ms&nonce=23493&prompt=none&login_hint=testuser26@mylabtenant.onmicrosoft.com
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@testuser7 Thank you for reaching out to us. As I understand you are getting error AADSTS50058 while accessing a saml app on chrome but on edge it works fine.
This generally occurs when there is a silent request sent to Azure AD to sign-in a user. Silent request usually has a 'prompt' parameter with a value of 'none'
When using silent requests, it is expected that the user has already signed in and there is a cookie in the request headers. If this cookie is missing or the session has expired, this error will be thrown.
The application must be able to handle this error and be ready to have the user interactively sign-in again.
Sometimes, a browser configuration or how the application sends the silent request may block the cookies from being passed. In your case, you want to make sure that the browser is properly configured such as adding both login.microsoftonline.com and the applications endpoint to the trusted sites.
Let me know if this helps. If you have any further updates on this issue, please feel free to post back.
Thanks @Givary-MSFT for the overview. But that is not we were looking.
Check my exact request above. I am putting it again below. It has prompt=none.
The question that you should have asked me is, how many accounts are present in the cookie ???
the answer is "ONLY ONE ACCOUNT"
https://login.microsoftonline.com/5abbc4c8-c6a0-4211-b75f-b372350510/oauth2/v2.0/authorize?client_id=309426cc-4483-4ee5-aba9-a057a4d49938
&response_type=code&scope=api://11adcfe4-5b3d-47c2-82c5-2654c70e179c/myscope1 offline_access&redirect_uri=https://jwt.ms&nonce=23493&prompt=none
Just hit above URL on EDGE and on Chrome.
Of course you have to change the tenant-id, app-id and scope.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 73%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELN%3C/text%3E%3C/svg%3E)
You can remove prompt=none in contrast to see what will happen in chrome? Will it instruct you to login?
Sure will do that. Thanks @Givary-MSFT