Microsoft Entra SAML-based SSO gives error AADSTS7500525: "There was an XML error in the SAML message at line" ... but ONLY for unassigned users

Jon Elkin 0 Reputation points
2024-11-05T19:23:43.5766667+00:00

We're using Microsoft Entra SAML-based Single Sign-On (SSO) to sign in to Zendesk.

A subset of our organization's users is authorized to access Zendesk, and those users have been properly assigned as such within Entra. SSO works properly whenever any of those users attempt to log in.

However, if a user who has not been assigned to Zendesk attempts to log in using SSO, then after successfully authenticating the user, the Microsoft SSO page displays an error:

Sorry, but we’re having trouble signing you in.

AADSTS7500525: There was an XML error in the SAML message at line 2, position 353. Verify that the XML content of the SAML messages conforms to the SAML protocol specifications.

Screenshot: AADSTS7500525.png

Again, this only happens when the user is not authorized. When the user is authorized, the SSO works as expected, which indicates Entra is configured correctly and that the SAML request from the third-party application is properly formatted and is valid XML and valid SAML, which you can confirm here:

<?xml version="1.0"?>

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="samlr-cac18074-7614-4f48-bc6f-000000000000" IssueInstant="2024-11-04T18:24:04Z" Version="2.0" AssertionConsumerServiceURL="https://mysubdomain.zendesk.com/access/saml"><saml:Issuer>https://mysubdomain.zendesk.com</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest>

(private info has been changed)

Zendesk states this is a Microsoft bug, and I agree. The expected behavior when a user is authenticated via SSO, but not authorized to access that application, is that the user should see an access denied message, for example:

  • “Access Denied: You do not have permission to access this application.”

“Error: You are not authorized to use this application. Please contact your administrator.”

By displaying error AADSTS7500525, it misleadingly implies that there is a bug in the third-party application or in the Entra SSO configuration, rather than pointing to the actual issue, which is that the user is not authorized. This makes troubleshooting difficult.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,402 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 13,380 Reputation points Microsoft Vendor
    2024-11-06T16:46:15.58+00:00

    Hi @Jon Elkin

    Thank you for posting this in Microsoft Q&A.

    Thank you for providing a detailed explanation of the issue you're facing. I understand that you're encountering an error message (AADSTS7500525) when a user who is not authorized to access Zendesk attempts to log in using Microsoft Entra SAML-based Single Sign-On (SSO). The current behavior can be misleading and make troubleshooting difficult.

    You receive error AADSTS75005 when trying to sign into an application that has been set up to use Microsoft Entra ID for identity management using SAML-based SSO.

    Microsoft Entra ID doesn't support the SAML request sent by the application for single sign-on. Some common issues are:

    • Missing required fields in the SAML request.
    • SAML request encoded method.

    Based on the request you provided it seems you have included required fields in SAML request. I would request you to please cross check your SAML request

    https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol#authnrequest

    If the issue still persistent Capture the SAML request. Follow the tutorial How to debug SAML-based single sign-on to applications in Microsoft Entra ID to learn how to capture the SAML request and contact the application vendor.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.