SAML Authentication issue

Question

Hello Concerned Team,

We're trying to implement SAML authentication with azure for our on-premise application hosted through IIS. We are facing the following error as attached resulting in failure of our SAML implementation, hence we need support in its implimentation as we're stuck from our end. Please support.

Answer 1

Hi @Rajeev Gera

Thank you for posting this in Microsoft Q&A.

I understand that you're encountering an error with the SAML message encoding when trying to implement SAML authentication with Azure for your on-premises application hosted through IIS. Specifically, you're seeing the error message "AADSTS750055: SAML message was not properly DEFLATE-encoded."

Could you please confirm, what type of HTTP call being used by your application to send SAMLRequest (aka AuthNRequest) to Azure AD, either HTTP-Redirect or HTTP-POST?

You can identity this by looking at SAMLRequest from HTTP call which done by your application, if you see HTTP 302 call and SAMLRequest sent in query string then your app using HTTP-Redirect which is most commonly used scenario. Instead, you see HTTP POST call and SAMLRequest sent in body then your application using HTTP POST.

This error typically occurs when the SAML message is not properly compressed using the DEFLATE algorithm.

This is my AuthRequest for test app:

<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="F84D888AA3B44C1B844375A4E8210D9E" Version="2.0" IssueInstant="2021-10-07T08:10:24.669Z" IsPassive="false" AssertionConsumerServiceURL="https://adfshelp.microsoft.com/ClaimsXray/

HTTP-Redirect- binding:

AuthenRequest need to be Deflate + Base64 Encode. and then URLEncode.

To deflate and base64 encode, we can use this tool, https://www.samltool.com/encode.php. And to URL Encode, use this tool, https://meyerweb.com/eric/tools/dencoder/.

1.Deflate + Base64 Encode value:

jZHLasMwEEV/xWgfS340UYRtcF4QSKEkaSndCWeCTfVwNXJo/76Ki1eF0u0wc7jnToFSq17Ug2/NET4GQB99amWwJIMzwkrsUBipAYVvxKl+PIg0ZkKDlxfpJYn2m5LseL7hnNd1tsrzdbLieZ4tHup8y9OEbZZbEr2Aw86akoTjcIM4wN6gl8aHEUuTWcJmbHFmXCRMpHk8ny/f7ntPErG7QUmuUiGQqEYE5wNpbQ0OGtwJ3K1r4Pl4KEnrfY+CUnm5Yguqj3XXOIv26uPGarpWstP46uQXPdt3CLrYB0qgjsJibOJv7d5ZbxurSLSzroGxtSlbVYxa7j/1yUmDVFNoZRupWoteZIwxeg9Dp5YL+oOuCvr7XdU3

2.URL Encoded above value:

jZHLasMwEEV%2FxWgfS340UYRtcF4QSKEkaSndCWeCTfVwNXJo%2F76Ki1eF0u0wc7jnToFSq17Ug2%2FNET4GQB99amWwJIMzwkrsUBipAYVvxKl%2BPIg0ZkKDlxfpJYn2m5LseL7hnNd1tsrzdbLieZ4tHup8y9OEbZZbEr2Aw86akoTjcIM4wN6gl8aHEUuTWcJmbHFmXCRMpHk8ny%2Ff7ntPErG7QUmuUiGQqEYE5wNpbQ0OGtwJ3K1r4Pl4KEnrfY%2BCUnm5Yguqj3XXOIv26uPGarpWstP46uQXPdt3CLrYB0qgjsJibOJv7d5ZbxurSLSzroGxtSlbVYxa7j%2F1yUmDVFNoZRupWoteZIwxeg9Dp5YL%2BoOuCvr7XdU3

Final result would be added in SAMLRequest HTTP query string as shown below:

https://login.microsoftonline.com/cb35203e-6560-4d6a-a352-6758b354ff1a/saml2?SAMLRequest=jZHLasMwEEV%2FxWgfS340UYRtcF4QSKEkaSndCWeCTfVwNXJo%2F76Ki1eF0u0wc7jnToFSq17Ug2%2FNET4GQB99amWwJIMzwkrsUBipAYVvxKl%2BPIg0ZkKDlxfpJYn2m5LseL7hnNd1tsrzdbLieZ4tHup8y9OEbZZbEr2Aw86akoTjcIM4wN6gl8aHEUuTWcJmbHFmXCRMpHk

**HTTP-POST- binding:**AuthnRequest need to be Base64 Encode directly and sent in HTTP POST call.

PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm1ldGFkYXRhIiBJRD0iRjg0RDg4OEFBM0I0NEMxQjg0NDM3NUE0RTgyMTBEOUUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDIxLTEwLTA3VDA4OjEwOjI0LjY2OVoiIElzUGFzc2l2ZT0iZmFsc2UiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cHM6Ly9hZGZzaGVscC5taWNyb3NvZnQuY29tL0NsYWltc1hyYXkvVG9rZW5SZXNwb25zZSIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRm9yY2VBdXRobj0iZmFsc2UiPjxJc3N1ZXIgeG

For your reference: https://blog.ardikapras.com/getting-error-on-saml-message-was-not-properly-deflate-encoded-8f65f8fec0de

Similar issue discussed here: https://learn.microsoft.com/en-us/answers/questions/580306/aadsts750056-saml-message-was-not-properly-base64

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If the answer is helpful, please click "Accept Answer" and kindly upvote it.