Share via

AADSTS500089: SAML 2.0 assertion validation failed: SAML token is invalid

AmanpreetSingh-MSFT 56,841 Reputation points Moderator
2025-04-28T14:54:02.4+00:00

As per https://learn.microsoft.com/en-us/entra/external-id/direct-federation, the recommended Audience for new federations is https://login.microsoftonline.com/<tenant ID>/. However, when I use it, I get AADSTS500089: SAML 2.0 assertion validation failed: SAML token is invalid error. It works with urn:federation:MicrosoftOnline as the audience. Is it a known issue or is there any additional configuration required to allow the use of the new/recommended audience value?

Error: server_error
Error description: AADSTS500089: SAML 2.0 assertion validation failed: SAML token is invalid. Trace ID: 6e398f5e-ef6e-433f-b81c-e8f1cb9d2a00 Correlation ID: 91b0d7ae-5f13-45d1-9d90-948b86b6c148 Timestamp: 2025-04-28 16:37:28Z

https://learn.microsoft.com/en-us/entra/external-id/direct-federation
Audience:
https://login.microsoftonline.com/<tenant ID>/ (Recommended) Replace <tenant ID> with the tenant ID of the Microsoft Entra tenant you're setting up federation with. In the SAML request sent by Microsoft Entra ID for external federations, the Issuer URL is a tenanted endpoint (for example, https://login.microsoftonline.com/<tenant ID>/). For any new federations, we recommend that all our partners set the audience of the SAML or WS-Fed based IdP to a tenanted endpoint. Any existing federations configured with the global endpoint (for example, urn:federation:MicrosoftOnline) continue to work, but new federations stop working if your external IdP is expecting a global issuer URL in the SAML request sent by Microsoft Entra ID.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,542 questions

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.