How to edit SAML XML for AuthnContextClassRef

Question

We are setting up SSO in a sandbox environment to use Step-Up Authentication within an app (Workday). Basically once in a verified session, when you reach on a certain site or link you are then re-asked to reverify your identity for security. However we are running into a problem where that second prompt to verify your identity gives the error in the screenshot. AADSTS7500522: XML element 'AuthnContextClassRef' in XML Namespace 'urn:oasis:names:tc:SAML:2.0:assertion' in the SAML message must be a URI. Cant figure out if this is on the Microsoft M365 side or on the application side where this needs to be corrected from, but also dont know how to get this correct. I found some sites that say the SAML must be correct. but no one says HOW or give an idea.

Answer 1

Hi @Serpas, Omar

Thank you for posting this in Microsoft Q&A.

I understand you are facing an issue with SSO in a sandbox environment while using Step-Up Authentication within an app (Workday). The error message they are receiving is "AADSTS7500522: XML element 'AuthnContextClassRef' in XML Namespace 'urn:oasis:names:tc:SAML:2.0:assertion' in the SAML message must be a URI."

This error indicates an issue with the SAML authentication context. To resolve this issue, you will need to ensure that the AuthnContextClassRef element in the SAML message is a URI. Microsoft Entra ID supports AuthnContextClassRef values such as urn:oasis:names:tc:SAML:2.0:ac:classes:Password.

Can you check with the application (Workday) team to ensure that the SAML message being sent to Azure AD contains a valid URI for the AuthnContextClassRef element.

Please follow the steps which mentioned in below documents.
https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol
Error AADSTS7500522

Please do correct me if this is not the case by responding in the comments section

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

Answer 2

Courses.bdu.edu.et