Microsoft Entra SAML Toolkit launcher sends response without SAMLResponse

Question

Microsoft Entra SAML Toolkit launcher sends response without SAMLResponse

Mark Babayev 226

I have correctly working SAML connection configured by the "Microsoft Entra SAML Toolkit".

When I manually login to the signOnURL with manually created SAMLRequest everything goes well.

The problem occurs when I try to test it in the "Test single sign-on with Microsoft Entra SAML Toolkit" or when I try to launch my application from the "My Application" page https://myapplications.microsoft.com/:

https://launcher.myapps.microsoft.com/api/signin/dd8516bf-5edf-4f74-9d31-b51a53c324a4?tenantId=483377f3-4860-4ce5-8d05-dee17ba17dbf

In these cases the authentication request is returned to my BackEnd server callback without a SAMLResponse parameter.

The following configuration properties in SAML Toolkit are enabled:

Enabled for users to sign-in?
Assignment required?
Visible to users?

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2024-01-12T19:40:13.3733333+00:00

@Mark Babayev
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Your answer

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2024-01-12T19:40:13.3733333+00:00

@Mark Babayev
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Akhilesh Vallamkonda 15,320 Microsoft External Staff Moderator

Hi @Mark Babayev

Thank you for posting your query on Q&A.

If the authentication request is returned without a SAMLResponse parameter, it means that the sign-on process failed or was interrupted. it seems the application is not using HTTP redirect binding when sending the SAML request to Microsoft Entra ID. Could you please check the callback URL where you are using an IDP-initiated URL not the SP-initiated URL? the IdP also needs to know the callback URL in order to send the SAML response to the correct location.
Could you please check that the SAML toolkit is properly configured with the correct values for the SAML endpoint, issuer, and certificate which has not expired.
I hope this information helps! please Feel free to ask any questions you may have.

Thanks,
Akhilesh.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-01-12T06:44:26.8466667+00:00

@Mark Babayev
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-01-14T14:22:04.1866667+00:00

@Mark Babayev
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Mark Babayev 226 Reputation points

2024-01-14T20:54:50.5533333+00:00
it seems the application is not using HTTP redirect binding when sending the SAML request to Microsoft Entra ID

The SAML connection is working correct when logging in from WA. The problem is only when launching it from "Azure AD SAML Toolkit" test and from https://myapps.microsoft.com/

Could you please check the callback URL where you are using an IDP-initiated URL not the SP-initiated URL? the IdP also needs to know the callback URL in order to send the SAML response to the correct location.

Please explain what callback URL do you mean. The Azure AD SAML Toolkit has only these URLs:

Reply URL (Assertion Consumer Service URL)

Sign on URL

Logout Url (Optional)

Which all point to BE: https://XXX/saml/callback

The produced "Federation Metadata XML" has these URLs:

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/93149d4b-79b2-4e8b-9f78-10f443ed56eb/saml2"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/93149d4b-79b2-4e8b-9f78-10f443ed56eb/saml2"/>
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-01-20T13:00:53.94+00:00

@Mark Babayev
Callback URL is also known as the Reply URL or the Assertion Consumer Service URL.
Could you please confirm the entity ID on your side does match the one specified in the SAML response? could you please check the SAML response formatted according to the SAML 2.0 specification, ensure that it follows the SAML 2.0 schema.
Please share the details of error response what you are getting.
for more information, please go through Microsoft Entra SSO integration with Microsoft Entra SAML Toolkit

Mark Babayev 226

For regular SAML requests all these lines are correct:

The entity ID on our side matches the one specified in the SAML response
The SAML response formatted according to the SAML 2.0 specification,
It follows the SAML 2.0 schema.

Please share the details of error response what you are getting.

For Azure requests we don't receive error responses. We just receive a request from Azure without SAMLResponse.

For regular requests we build SAMLRequest this way:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="randomString" Version="2.0"
                ProviderName="Trustifi"
                ForceAuthn="true"
                IsPassive="false"
                IssueInstant="DatetoISOString"
                Destination="https://login.microsoftonline.com/93149d4b-79b2-4e8b-9f78-10f443ed56eb/saml2"
                ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                AssertionConsumerServiceURL="https://XXX/saml/callback">
<saml:Issuer>https://trustifi.com</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
</samlp:AuthnRequest>

and redirect to:https://login.microsoftonline.com/93149d4b-79b2-4e8b-9f78-10f443ed56eb/saml2?SAMLRequest=SAMLREQUEST

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-01-24T12:40:42.2666667+00:00

@Mark Babayev
We have tested your scenario in our lab and the result was expected. please follow and check the bellow reference documents.
Microsoft Entra SSO integration with Microsoft Entra SAML Toolkit
https://samltoolkit.azurewebsites.net/
Mark Babayev 226 Reputation points

2024-02-14T12:58:35.5133333+00:00

I think, an issue here is in the "Sign on URL" field:

Sign on URL is used if you would like to perform service provider-initiated single sign-on. This value is the sign-in page URL for your application. This field is unnecessary if you want to perform identity provider-initiated single sign-on.

Before, I set it to the Backend reply callback, but it really should be a Frontend login page. Now, the response is returned without an error, but it doesn't do user authentication and doesn't return any token with this URL. Is it possible to receive back at least a user name?

For example, in Okta we can have the same "Sign on URL" and "Reply URL", both pointing to Backend. As well as multiple SSO urls ("Other Requestable SSO URLs"), for example for multitenant application.

https://support.okta.com/help/s/article/How-to-add-additional-Requestable-SSO-URLs

Share via

Microsoft Entra SAML Toolkit launcher sends response without SAMLResponse

1 answer

Your answer