SAML Authentication issue

Rajeev Gera 0 Reputation points
2024-05-30T11:36:02.9033333+00:00

Hello Concerned Team,

We're trying to implement SAML authentication with azure for our on-premise application hosted through IIS. We are facing the following error as attached resulting in failure of our SAML implementation, hence we need support in its implimentation as we're stuck from our end. Please support.

User's image

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,235 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 5,720 Reputation points Microsoft Vendor
    2024-05-31T08:31:38.05+00:00

    Hi @Rajeev Gera

    Thank you for posting this in Microsoft Q&A.

    I understand that you're encountering an error with the SAML message encoding when trying to implement SAML authentication with Azure for your on-premises application hosted through IIS. Specifically, you're seeing the error message "AADSTS750055: SAML message was not properly DEFLATE-encoded."

    Could you please confirm, what type of HTTP call being used by your application to send SAMLRequest (aka AuthNRequest) to Azure AD, either HTTP-Redirect or HTTP-POST?

    You can identity this by looking at SAMLRequest from HTTP call which done by your application, if you see HTTP 302 call and SAMLRequest sent in query string then your app using HTTP-Redirect which is most commonly used scenario. Instead, you see HTTP POST call and SAMLRequest sent in body then your application using HTTP POST.

    This error typically occurs when the SAML message is not properly compressed using the DEFLATE algorithm.

    This is my AuthRequest for test app:

    <samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="F84D888AA3B44C1B844375A4E8210D9E" Version="2.0" IssueInstant="2021-10-07T08:10:24.669Z" IsPassive="false" AssertionConsumerServiceURL="https://adfshelp.microsoft.com/ClaimsXray/
    

    HTTP-Redirect- binding:

    AuthenRequest need to be Deflate + Base64 Encode. and then URLEncode.

    To deflate and base64 encode, we can use this tool, https://www.samltool.com/encode.php. And to URL Encode, use this tool, https://meyerweb.com/eric/tools/dencoder/.

    1.Deflate + Base64 Encode value:

    jZHLasMwEEV/xWgfS340UYRtcF4QSKEkaSndCWeCTfVwNXJo/76Ki1eF0u0wc7jnToFSq17Ug2/NET4GQB99amWwJIMzwkrsUBipAYVvxKl+PIg0ZkKDlxfpJYn2m5LseL7hnNd1tsrzdbLieZ4tHup8y9OEbZZbEr2Aw86akoTjcIM4wN6gl8aHEUuTWcJmbHFmXCRMpHk8ny/f7ntPErG7QUmuUiGQqEYE5wNpbQ0OGtwJ3K1r4Pl4KEnrfY+CUnm5Yguqj3XXOIv26uPGarpWstP46uQXPdt3CLrYB0qgjsJibOJv7d5ZbxurSLSzroGxtSlbVYxa7j/1yUmDVFNoZRupWoteZIwxeg9Dp5YL+oOuCvr7XdU3
    

    2.URL Encoded above value:

    jZHLasMwEEV%2FxWgfS340UYRtcF4QSKEkaSndCWeCTfVwNXJo%2F76Ki1eF0u0wc7jnToFSq17Ug2%2FNET4GQB99amWwJIMzwkrsUBipAYVvxKl%2BPIg0ZkKDlxfpJYn2m5LseL7hnNd1tsrzdbLieZ4tHup8y9OEbZZbEr2Aw86akoTjcIM4wN6gl8aHEUuTWcJmbHFmXCRMpHk8ny%2Ff7ntPErG7QUmuUiGQqEYE5wNpbQ0OGtwJ3K1r4Pl4KEnrfY%2BCUnm5Yguqj3XXOIv26uPGarpWstP46uQXPdt3CLrYB0qgjsJibOJv7d5ZbxurSLSzroGxtSlbVYxa7j%2F1yUmDVFNoZRupWoteZIwxeg9Dp5YL%2BoOuCvr7XdU3
    

    Final result would be added in SAMLRequest HTTP query string as shown below:

    https://login.microsoftonline.com/cb35203e-6560-4d6a-a352-6758b354ff1a/saml2?SAMLRequest=jZHLasMwEEV%2FxWgfS340UYRtcF4QSKEkaSndCWeCTfVwNXJo%2F76Ki1eF0u0wc7jnToFSq17Ug2%2FNET4GQB99amWwJIMzwkrsUBipAYVvxKl%2BPIg0ZkKDlxfpJYn2m5LseL7hnNd1tsrzdbLieZ4tHup8y9OEbZZbEr2Aw86akoTjcIM4wN6gl8aHEUuTWcJmbHFmXCRMpHk

    **HTTP-POST- binding:**AuthnRequest need to be Base64 Encode directly and sent in HTTP POST call.

    PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm1ldGFkYXRhIiBJRD0iRjg0RDg4OEFBM0I0NEMxQjg0NDM3NUE0RTgyMTBEOUUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDIxLTEwLTA3VDA4OjEwOjI0LjY2OVoiIElzUGFzc2l2ZT0iZmFsc2UiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cHM6Ly9hZGZzaGVscC5taWNyb3NvZnQuY29tL0NsYWltc1hyYXkvVG9rZW5SZXNwb25zZSIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRm9yY2VBdXRobj0iZmFsc2UiPjxJc3N1ZXIgeG
    
    
    

    For your reference: https://blog.ardikapras.com/getting-error-on-saml-message-was-not-properly-deflate-encoded-8f65f8fec0de

    Similar issue discussed here: https://learn.microsoft.com/en-us/answers/questions/580306/aadsts750056-saml-message-was-not-properly-base64

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it.

    0 comments No comments