SAML 2.0 support with Elliptic Curve Cryptography (ECC) Certificates

sannav 0 Reputation points
2023-11-02T06:39:21.4066667+00:00

We have added SAML 2.0 support for our application with Identity Provider as Microsoft Azure.

Our Service Provider has Elliptic Curve Cryptography (ECC) Certificate. The metadata having certificate is imported in Azure. When we try to login with Azure, we get error: “AADSTS75005: The request is not a valid SAML 2.0 protocol message or contains invalid or potentially dangerous characters.”. When we replace the certificate with RSA, login works fine.

Can anyone please suggest if I am missing something or currently we do not have support for ECC with Azure?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,226 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akhilesh 6,740 Reputation points Microsoft Vendor
    2023-11-06T08:10:42.88+00:00

    Hi @sannav

    Thank you for reaching us!
    I understand that you have imported the Elliptic Curve Cryptography (ECC) Certificate to Azure and got an error AADSTS75005 while trying to log in with Azure. When you replaced the certificate with RSA, you were able to log in successfully.

    Currently, Microsoft Azure AD does not support ECC certificates for SAML 2.0 authentication. It supports RSA certificates. To resolve this issue, you needed to use an RSA certificate instead of an ECC certificate for your Service Provider.

    The error AADSTS75005 states that the request you sent to Azure AD for SAML-based single sign-on is not valid.

    I hope this answer helps! If you have any further questions, please feel free to ask.

    Reference: https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts75005-not-a-valid-saml-request

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-saml-idp

    https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/certificate-signing-options

    Thanks,

    Akhilesh.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.