What this error means: AADSTS399274: The application with App ID 'XXXX' is configured for SAML SSO and could not be used with non-SAML protocol

Garber, Oleg 0 Reputation points
2024-10-21T14:00:16.2566667+00:00

I'm getting the next error when exchanging code with accessToken in the OAuth2 Code Authorization flow.
AADSTS399274: The application with App ID 'XXXX' is configured for SAML SSO and could not be used with non-SAML protocol

We started to get this error while using a recently created App Registration (SAML application). A similar application that was made a few months ago working without exceptions

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,137 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Navya 12,405 Reputation points Microsoft Vendor
    2024-10-22T01:47:58.34+00:00

    Hi @Garber, Oleg

    Thank you for posting this in Microsoft Q&A.

    I understand that you have created a SAML application and are trying to obtain an access token. However, when exchanging the code in the OAuth2 Authorization Code flow, you encountered the error: AADSTS399274. This error indicates that the application with App ID 'XXXX' is configured for SAML SSO and cannot be used with non-SAML protocols.

    As the error message states, SAML applications cannot receive tokens through OAuth2 or OIDC protocols.

    Starting in late September 2024, applications designated as SAML applications (via the preferredSingleSignOnMode property of the service principal) will no longer be able to receive JWT tokens. This change means they cannot serve as the resource application in OIDC, OAuth2.0, or any other protocols that utilize JWTs. It is important to note that this change only affects SAML applications that are attempting to adopt JWT-based protocols; existing SAML applications already using these flows will not be impacted.

    With this new change, the OAuth integration will require a separate app registration for the third-party application to function properly. You will need to set up two applications in Entra ID: one enterprise app for SAML SSO and one app registration for the OAuth setup.

    For your reference: https://learn.microsoft.com/en-us/entra/fundamentals/whats-new#general-availability---new-saml-applications-cant-receive-tokens-through-oauth2oidc-protocols

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    1 deleted comment

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.