SAML SSO Redirection Behavior – ReturnUrl ignored, always posting to /Saml2/Acs instead of custom route

Question

SAML SSO Redirection Behavior – ReturnUrl ignored, always posting to /Saml2/Acs instead of custom route

Niket Kumar Singh 540

We're integrating SAML-based SSO using Azure AD as the Identity Provider (IdP) and the Sustainsys.Saml2 library (formerly Kentor.AuthServices) in a .NET 6 Web API backend hosted locally at https://localhost:5001.

Entity ID (Identifier ) : https://xxxxxxxxxxxxxxxxxx/a/webapi/api/externallogin/saml/identifier

Desired Assertion Consumer Service (ACS) URL: https://localhost:5001/api/Saml2/Acs

Azure AD Reply URLs (ACS) (both configured):

https://localhost:5001/api/Saml2/Acs
https://localhost:5001/Saml2/Acs

Despite configuring the desired ACS endpoint at /api/Saml2/Acs, the AuthnRequest is always generated with: AssertionConsumerServiceURL = https://localhost:5001/Saml2/Acs

As a result:

Azure AD may throw AADSTS50011: Reply URL mismatch if only the /api/... route is registered.
The browser gets redirected to /Saml2/Acs and shows a blank page or broken icon, because the request never reaches our custom controller.

Investigation Summary:

- In `Startup.cs`, we explicitly set:

  ```yaml
  
  options.SPOptions.ReturnUrl = new Uri("https://localhost:5001/api/Saml2/Acs");
  ```
  
- The expected behavior is that the `AssertionConsumerServiceURL` in the AuthnRequest should reflect this custom return URL.

- However, Sustainsys.Saml2 seems to ignore `SPOptions.ReturnUrl` for outgoing requests and always generates:

  ```yaml
  
  https://localhost:5001/Saml2/Acs
  ```
  
- Even using `options.Notifications.AcsCommandResultCreated` to manipulate the redirect doesn't help because the POST is still going to `/Saml2/Acs`, not `/api/Saml2/Acs`.

How can we override the ACS URL to be /api/Saml2/Acs when using Sustainsys.Saml2 in .NET 6?
Is there a recommended approach to force the SDK to honor SPOptions.ReturnUrl?

Do we need to extend or override AuthServicesUrls or SignInCommand to achieve this?

Would using MapSaml2 routes or switching to MVC-style routing offer more flexibility for handling this?

Kancharla Saiteja 3,405 Reputation points Microsoft External Staff

2025-04-07T20:28:29.21+00:00

Hi @Niket Kumar Singh,

Based on your query, here is my understanding: You have found redirect_url mismatch error after providing the correct URL.

When you are using local host URL for the applications as redirect URLs, you need to make sure you are using the proper path for the redirection of the application. If there is a single element missing in the URL would throw us the error. Since you are using local host URL, you need to make sure the request is not going out of the device as it has to be configured within the range.

Based on the redirect URL rules, you need to make sure to use http as recommended protocol for local host URLs which has been specified in this document: Supported schemes.

As we are seeing the mismatch error, here is the Microsoft document to perform the necessary operation: AADSTS50011. Update the URL on both the sides of the application and check the scenario.

If you do not see any error while authentication, that means the application has passed the authentication successfully. After the successful authentication, if you still see blank then you need to check with your application team on it.

I hope this information is helpful. Please feel free to reach out if you have any further questions.
Kancharla Saiteja 3,405 Reputation points Microsoft External Staff

2025-04-08T16:56:59.61+00:00

Hi @Niket Kumar Singh,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Niket Kumar Singh 540 Reputation points

2025-04-09T05:05:32.0166667+00:00
Tried but didn't worked.

We initially attempted to use the Sustainsys.Saml2 library to handle SAML authentication, with the goal of customizing the Assertion Consumer Service (ACS) endpoint to use our desired path: https://localhost:5001/api/Saml2/Acs

However, we discovered that:

The ACS path (/Saml2/Acs) is hardcoded in the Sustainsys.Saml2 library and cannot be overridden in versions prior to v3.

Even with configurations like SPOptions.ModulePath, ReturnUrl, and updates in Startup.cs, the ACS URL kept reverting to the default /Saml2/Acs, and not our preferred /api/Saml2/Acs.

We explored the official GitHub issues (#1031, #773) and Sustainsys documentation, and confirmed this is a known product limitation until version 3.0 becomes publicly available.

Attempts to manually override routes via controller attributes or patching the library didn’t resolve the mismatch, and we continued to receive AADSTS50011 errors due to incorrect reply URLs.

Resolution & Current Working Setup

Since the library did not allow ACS customization, we re-architected the flow without using Sustainsys and built a custom SAML response handler:

Configured Azure AD to point to our custom ACS endpoint: ✅ https://localhost:5001/api/Saml2/Acs

Implemented a controller endpoint in our .NET backend to directly receive and decode the SAML response.

Validated the SAML POST payload and extracted the necessary user claims (email, name, etc.).

Successfully verified the authentication flow end-to-end without relying on Sustainsys.

The application is now capable of handling the SAML response securely and flexibly, and matches the custom ACS route expected in enterprise scenarios.

Accepted answer

0 additional answers

Your answer

Kancharla Saiteja 3,405 Reputation points Microsoft External Staff

2025-04-07T20:28:29.21+00:00

Hi @Niket Kumar Singh,

Based on your query, here is my understanding: You have found redirect_url mismatch error after providing the correct URL.

When you are using local host URL for the applications as redirect URLs, you need to make sure you are using the proper path for the redirection of the application. If there is a single element missing in the URL would throw us the error. Since you are using local host URL, you need to make sure the request is not going out of the device as it has to be configured within the range.

Based on the redirect URL rules, you need to make sure to use http as recommended protocol for local host URLs which has been specified in this document: Supported schemes.

As we are seeing the mismatch error, here is the Microsoft document to perform the necessary operation: AADSTS50011. Update the URL on both the sides of the application and check the scenario.

If you do not see any error while authentication, that means the application has passed the authentication successfully. After the successful authentication, if you still see blank then you need to check with your application team on it.

I hope this information is helpful. Please feel free to reach out if you have any further questions.
Kancharla Saiteja 3,405 Reputation points Microsoft External Staff

2025-04-08T16:56:59.61+00:00

Hi @Niket Kumar Singh,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Niket Kumar Singh 540 Reputation points

2025-04-09T05:05:32.0166667+00:00

Tried but didn't worked.

We initially attempted to use the Sustainsys.Saml2 library to handle SAML authentication, with the goal of customizing the Assertion Consumer Service (ACS) endpoint to use our desired path: https://localhost:5001/api/Saml2/Acs

However, we discovered that:

The ACS path (/Saml2/Acs) is hardcoded in the Sustainsys.Saml2 library and cannot be overridden in versions prior to v3.

Even with configurations like SPOptions.ModulePath, ReturnUrl, and updates in Startup.cs, the ACS URL kept reverting to the default /Saml2/Acs, and not our preferred /api/Saml2/Acs.

We explored the official GitHub issues (#1031, #773) and Sustainsys documentation, and confirmed this is a known product limitation until version 3.0 becomes publicly available.

Attempts to manually override routes via controller attributes or patching the library didn’t resolve the mismatch, and we continued to receive AADSTS50011 errors due to incorrect reply URLs.

Resolution & Current Working Setup

Since the library did not allow ACS customization, we re-architected the flow without using Sustainsys and built a custom SAML response handler:

Configured Azure AD to point to our custom ACS endpoint: ✅ https://localhost:5001/api/Saml2/Acs

Implemented a controller endpoint in our .NET backend to directly receive and decode the SAML response.

Validated the SAML POST payload and extracted the necessary user claims (email, name, etc.).

Successfully verified the authentication flow end-to-end without relying on Sustainsys.

The application is now capable of handling the SAML response securely and flexibly, and matches the custom ACS route expected in enterprise scenarios.

Answer 1

Hello @Niket Kumar Singh, I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: SAML SSO Redirection Behavior – ReturnUrl ignored, always posting to /Saml2/Acs instead of custom route

Solution: Resolved by @Niket Kumar Singh,

Since the library did not allow ACS customization, we re-architected the flow without using Sustainsys and built a custom SAML response handler:

Configured Azure AD to point to our custom ACS endpoint: ✅ https://localhost:5001/api/Saml2/Acs
Implemented a controller endpoint in our .NET backend to directly receive and decode the SAML response.
Validated the SAML POST payload and extracted the necessary user claims (email, name, etc.).
Successfully verified the authentication flow end-to-end without relying on Sustainsys.
The application is now capable of handling the SAML response securely and flexibly and matches the custom ACS route expected in enterprise scenarios.

If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Share via

SAML SSO Redirection Behavior – ReturnUrl ignored, always posting to /Saml2/Acs instead of custom route

0 additional answers

Your answer