Thank you for posting this in Microsoft Q&A.
I understand you are facing an issue with SSO in a sandbox environment while using Step-Up Authentication within an app (Workday). The error message they are receiving is "AADSTS7500522: XML element 'AuthnContextClassRef' in XML Namespace 'urn:oasis:names:tc:SAML:2.0:assertion' in the SAML message must be a URI."
This error indicates an issue with the SAML authentication context. To resolve this issue, you will need to ensure that the AuthnContextClassRef element in the SAML message is a URI. Microsoft Entra ID supports AuthnContextClassRef values such as urn:oasis:names:tc:SAML:2.0:ac:classes:Password
.
Can you check with the application (Workday) team to ensure that the SAML message being sent to Azure AD contains a valid URI for the AuthnContextClassRef
element.
Please follow the steps which mentioned in below documents.
https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol
Error AADSTS7500522
Please do correct me if this is not the case by responding in the comments section
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.