1,978 questions
Does Azure SAML IDP require that the service provider use “HTTP redirect” binding to verify signatures on authnrequest ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 37%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
Donald Kelley
5
Reputation points
Currently out application uses "HTTP POST" binding with the signature contained instide the authnrequest. In this configuration, when requiring signed requests Azure returns error AADSTS76021. If the signature is not required it works correctly.
We are trying to determine if the HTTP redirect is required to verify the signatures rather than allowing usage of HTTP Post.
We have received examples showing the usage of redirect however:
what we are trying to understand is
“Here is how it can work” versus “Here is how it must work”.
“The cloud service (the service provider) uses an HTTP Redirect binding”
Vs
“The cloud service (the service provider) must use an HTTP Redirect binding”
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 34,121 Reputation points Microsoft Employee2023-02-03T21:06:57.0866667+00:00 I agree with you that the requirements could be clearer. Based on the same documentation you quoted, it does sound like it needs to be an HTTP Redirect. https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol
The cloud service (the service provider) uses an HTTP Redirect binding to pass an
AuthnRequest(authentication request) element to Azure AD (the identity provider).That said, in Azure documentation SAML Request Signature Verification (Preview) there is no mention of any specific binding requirement for the service provider.
I have reached out to the product team to confirm and will get back to you once I have clarification.
-
Donald Kelley 5 Reputation points
2023-02-06T20:46:40.52+00:00 @Marilee Turscak-MSFT thank you. Looking forward to your reply so we can determine our next steps / needs
-
Marilee Turscak-MSFT 34,121 Reputation points Microsoft Employee
2023-02-06T20:52:38.7433333+00:00 Thanks @Donald Kelley , I heard back from the product team that there are some ongoing escalations with regards to HTTP POST vs HTTP Redirect (both with the error message QueryStringTooLong), and the investigation is not yet concluded. Could you please share the correlation id, timestamp, and full error message? If you would prefer to send it over email you can reach me at AzCommunity@microsoft.com ("Attn: Marilee Turscak").
-
Donald Kelley 5 Reputation points
2023-02-07T12:56:27.6266667+00:00 I have sent the email as requested
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 7.000000000000001%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Ran Shtivi 10 Reputation points2023-02-26T11:23:50.1866667+00:00 did you resolve this issue ?
I get this error even though the request is signed.
Message: AADSTS76021: The request sent by client is not signed while the application requires signed requests -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 52%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
BarbaraJensen 6 Reputation points2024-01-05T16:03:16.82+00:00 I know that the Azure IdP supported HTTP-POST binding for the AuthnRequest. We have many many customers that use Azure IdP with our SP that only supports HTTP-POST binding. (I can find lots of cases that confirm it) How they managed to configure POST binding in Azure, I don't know; Azure docs are a maze.
I am unable to confirm the same for Entra ID in my case system. It would have been exceedingly nice if a Spanish word wasn't used for the name of such a high-profile business product.
So specifically:
Does the Entra IdP support HTTP-POST binding for the AuthnRequest? I have someone telling me that it does not, referring me to this document:
https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol
Since I see your doc says: Azure Active Directory (Azure AD) is now Microsoft Entra ID, I think it would be weird to remove support for something that is so basic.
If Entra ID does support POST binding for the AuthnRequest, do you have a link to a doc that shows how/where to set it?
Sign in to comment