AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding.

chenna 0 Reputation points
2023-05-16T21:46:55.37+00:00

Hello Everyone,

In our organization we are installing SSO (Single sign on) using Azure AD services, and we have installed following this Microsoft link- https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/jiramicrosoft-tutorial

Now we are trying to login SSO page getting AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding error and followed many articles and videos could not work for me even i tried in different browser as well.

references links which had followed:

  1. https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts750054-saml-request-not-present
  2. https://www.youtube.com/watch?v=ydQDnrSpA8U

and many more i have double checked with our team for the mentioned details are correct.

Could you please help on this ??

Regards,

Channakesa

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,225 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-16T22:10:01.96+00:00

    Hello @Chindanur Channakesa !

    Welcome to Microsoft QnA!

    I understand you are having trouble configuring SSO with Jira and Azure AD!

    So , have you verified things like MFA and Conditional Access Policies are not affecting the process ?

    Do you have Security Defaults enabled for example ? Or other CA Policies ?

    Did you tried this : I suppose you did already .....but i have to ask !

    1. Open Azure AD and Navigate to Enterprise Applications > Atlassian Cloud App > Single Sign On
    2. On the Set up Single Sign-On with SAML page, scroll down to Set Up Atlassian Cloud.
    3. Copy Azure AD Identifier value from Azure portal, and compare it with Identity Provider Entity ID textbox in Atlassian. If the value differs, update the Identity Provider Entity ID textbox in Atlassian with the new value.
    4. Copy Login URL value from Azure portal, and compare it with Identity Provider SSO URL textbox in Atlassian. If the value differs, update the Identity Provider SSO URL textbox in Atlassian with the new value.
    5. Add and Save the SAML Configuration in Atlassian.
    6. Test SAML SSO again

    Can you share more for example ehat do we see in Azure Sign In Logs ?

    User's image

    Can you use Fiddler to analyze the requests ?

    https://www.samltool.com/saml_tools.php

    Try to use a Tool that will show us what is going On !

    Also is there any Firewall or Network service at may interfere ?

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


  2. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-16T23:07:48.65+00:00

    Hello @Chindanur Channakesa !

    So it is On Premises Jira

    Do me a favor and verify that the Application is working correct when you try to login to the On Premises URL from the VM that hosts the Application Proxy Connector

    Are you using a Custom Domain ? Remember with Appcation Proxy you have to enable first some prerequsisites , for the Connector and then make the Integration

    Please go to the Docs carefully and in detail if you have not yet done it!

    https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-config-sso-how-to

    https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-deployment-plan

    https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-premises-application

    Pre-authentication method in Azure portal

    If you change to Pass through, are you presented with the Login Page ?

    You need to meet the following prerequisites before beginning your implementation. You can see more information on setting up your environment, including these prerequisites, in this tutorial.

    Connectors: Connectors are lightweight agents that you can deploy onto:
    
        Physical hardware on-premises
    
        A VM hosted within any hypervisor solution
    
        A VM hosted in Azure to enable outbound connection to the Application Proxy service.
    
    See Understand Azure AD App Proxy Connectors for a more detailed overview.
    
        Connector machines must be enabled for TLS 1.2 before installing the connectors.
    
        If possible, deploy connectors in the same network and segment as the back-end web application servers. It's best to deploy connectors after you complete a discovery of applications.
    
        We recommend that each connector group has at least two connectors to provide high availability and scale. Having three connectors is optimal in case you may need to service a machine at any point. Review the connector capacity table to help with deciding what type of machine to install connectors on. The larger the machine the more buffer and performant the connector will be.
    
    Network access settings: Azure AD Application Proxy connectors connect to Azure via HTTPS (TCP Port 443) and HTTP (TCP Port 80).
    
        Terminating connector TLS traffic isn't supported and will prevent connectors from establishing a secure channel with their respective Azure App Proxy endpoints.
    
        Avoid all forms of inline inspection on outbound TLS communications between connectors and Azure. Internal inspection between a connector and backend applications is possible, but could degrade the user experience, and as such, isn't recommended.
    
        Load balancing of the connectors themselves is also not supported, or even necessary.
    

    For custom Domain you need the certificate

    Also

    This table shows requirements for specific attributes in the SAML 2.0 message.

    NameIDThe value of this assertion must be the same as the Azure AD user’s ImmutableID. It can be up to 64 alpha numeric characters. Any non-html safe characters must be encoded, for example a “+” character is shown as “.2B”.IDPEmailThe User Principal Name (UPN) is listed in the SAML response as an element with the name IDPEmail The user’s UserPrincipalName (UPN) in Azure AD/Microsoft 365. The UPN is in email address format. UPN value in Windows Microsoft 365 (Azure Active Directory).IssuerRequired to be a URI of the identity provider. Do not reuse the Issuer from the sample messages. If you have multiple top-level domains in your Azure AD tenants the Issuer must match the specified URI setting configured per domain.Important

    Azure AD currently supports the following NameID Format URI for SAML 2.0:urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

    Think of it like a 2 step process , Application Proxy Integration and SSO with SAML

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    0 comments No comments

  3. chenna 0 Reputation points
    2023-05-17T15:57:54.74+00:00

    Hello @Konstantinos Passadis

    Our servers are hosted in azure ( DC) mentioned links are couldn't help us.

    -> In Our Jira Data center also added the authentication methods using Single sign on

    -> While logging in to Jira server using SSO getting below error.

    AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding.

    then we have followed some artciles it's saying to enable extension is it mandatory to enable ?

    Need your suggestion please

    Regards,

    channakesa


  4. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-17T17:00:37.21+00:00

    Hello @Chindanur Channakesa !

    Yes ! You need this PlugIn!

    JIRA plugin supports version 6.0 to 7.13.3, 8.0, 8.1.1, 8.2.1, 8.2.4, 8.5.4 , 8.8.1, 8.11.0 to 8.22.1 and 9.0 to 9.5

    Support for JIRA Service Desk 3.0.0 to 4.13

    JIRA Service Management 4.14 to 4.22.1

    Support for Azure US Government Cloud with .us URLs

    Force login option in the plugin so that users dont see the username and password option and they are automatically redirected to Azure AD for authentication.

    Use your Microsoft Azure Active Directory account with Atlassian JIRA server to enable single sign-on. This way all your organization users can use the Azure AD credentials to login into the JIRA application. This plugin uses SAML 2.0 for federation. Here is the article which provides step by step guide for configuring single sign-on. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/jiramicrosoft-tutorial

    Feature Added

    Application Proxy Support - Added checkbox on the configure plugin screen to toggle the App Proxy mode so as to make the Reply URL editable as per the need to point it to the proxy server URL
    

    Detailed intructions to configure the plugin are mentioned in this document. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/jiramicrosoft-tutorial

    For the SSO to work you need :

    1. Configure Azure AD SSO - to enable your users to use this feature.
      

    *SInce you are using Application Proxy you must first Integrate Jira with APP Proxy

    https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-single-sign-on-on-premises-apps

        2.Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
    
        3.Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
    
    4.Configure JIRA SAML SSO by Microsoft SSO - to configure the single sign-on settings on application side.
    
       5. Create JIRA SAML SSO by Microsoft test user - to have a counterpart of B.Simon in JIRA SAML SSO by Microsoft that is linked to the Azure AD representation of user.
    

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    0 comments No comments