How to edit SAML XML for AuthnContextClassRef

Serpas, Omar 0 Reputation points
2024-02-29T14:57:44.83+00:00

We are setting up SSO in a sandbox environment to use Step-Up Authentication within an app (Workday). Basically once in a verified session, when you reach on a certain site or link you are then re-asked to reverify your identity for security. However we are running into a problem where that second prompt to verify your identity gives the error in the screenshot. AADSTS7500522: XML element 'AuthnContextClassRef' in XML Namespace 'urn:oasis:names:tc:SAML:2.0:assertion' in the SAML message must be a URI. Cant figure out if this is on the Microsoft M365 side or on the application side where this needs to be corrected from, but also dont know how to get this correct. I found some sites that say the SAML must be correct. but no one says HOW or give an idea.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,929 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,787 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 10,955 Reputation points Microsoft Vendor
    2024-03-01T05:43:24.2533333+00:00

    Hi @Serpas, Omar

    Thank you for posting this in Microsoft Q&A.

    I understand you are facing an issue with SSO in a sandbox environment while using Step-Up Authentication within an app (Workday). The error message they are receiving is "AADSTS7500522: XML element 'AuthnContextClassRef' in XML Namespace 'urn:oasis:names:tc:SAML:2.0:assertion' in the SAML message must be a URI."

    This error indicates an issue with the SAML authentication context. To resolve this issue, you will need to ensure that the AuthnContextClassRef element in the SAML message is a URI. Microsoft Entra ID supports AuthnContextClassRef values such as urn:oasis:names:tc:SAML:2.0:ac:classes:Password.

    Can you check with the application (Workday) team to ensure that the SAML message being sent to Azure AD contains a valid URI for the AuthnContextClassRef element.

    Please follow the steps which mentioned in below documents.
    https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol
    Error AADSTS7500522

    Please do correct me if this is not the case by responding in the comments section

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.