SAML Access Denied from Azure AD - Localhost Sustainsys Setup

Question

SAML Access Denied from Azure AD - Localhost Sustainsys Setup

Verool Kuniyil Shibin 5

I am trying to set up an SAML based authentication using ASP.Net framework 4.8. But after login i am returning back to my localhost site and getting error like https://localhost:44353/Saml2/Acs?error=access_denied . I have assigned users and all the configurations are correct.

Verool Kuniyil Shibin 5

Please find my startup.cs code below. Please note that i am using ASP.Net framework 4.8 version. I am getting the Successful SAML response but after that page redirects to Access Denied error.


public class Startup    {        public void Configuration(IAppBuilder app)        {            // Set default sign-in type            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);            // Cookie Authentication setup            app.UseCookieAuthentication(new CookieAuthenticationOptions            {                AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,                Provider = new CookieAuthenticationProvider                {                    OnValidateIdentity = context =>                    {                        var identity = context.Identity;                                                 var tenantId = identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid")?.Value;                         return Task.CompletedTask;                    }                }            });            // Log SAML response for debugging            app.Use(async (context, next) =>            {                if (context.Request.Path.Value.Equals("/Saml2/Acs", StringComparison.OrdinalIgnoreCase) &&                    context.Request.Method.Equals("POST", StringComparison.OrdinalIgnoreCase))                {                    var form = await context.Request.ReadFormAsync();                    var samlResponse = form["SAMLResponse"];                    if (!string.IsNullOrEmpty(samlResponse))                    {                        var decoded = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(samlResponse));                        //System.IO.File.WriteAllText(@"C:\Temp\saml_raw.xml", decoded);                    }                }                await next.Invoke();            });            // Configure SAML2 options            var samlOptions = new Saml2AuthenticationOptions(false)            {                SPOptions = new SPOptions                {                    EntityId = new EntityId("https://localhost:44353/Saml2"),                    ReturnUrl = new Uri("https://localhost:44353/Saml2/Acs")                }             };            // Configure Identity Provider            var idp = new IdentityProvider(                new EntityId("https://sts.windows.net/eaadf123-039d-49ef-a8ac-f5a5ef8d7ea9/"),                samlOptions.SPOptions)            {                LoadMetadata = true,                MetadataLocation = "https://login.microsoftonline.com/eaadf123-039d-49ef-a8ac-f5a5ef8d7ea9/federationmetadata/2007-06/federationmetadata.xml",                AllowUnsolicitedAuthnResponse = true // Optional: allow unsolicited SAML Response            };                        samlOptions.IdentityProviders.Add(idp);            // Add SAML middleware            app.UseSaml2Authentication(samlOptions);        }

1 answer

Your answer

Answer 1

Danny Nguyen (WICLOUD CORPORATION) 410 Microsoft External Staff

Hi @Verool Kuniyil Shibin ,

I suggest you check out this instruction to debug this problem from Microsoft: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/debug-saml-sso-issues

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/adfs-2-error-access-is-denied?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#resolution

Here are things I recommend looking out for:

Sign-in logs:

In Microsoft Entra, go to Users and select the user who most recently attempted to sign in. Then, click on Sign-in logs from the left-hand panel under the user's name. This will show whether the sign-in was successful or failed.

If the sign-in failed, check the Conditional Access section to identify any policies that might be blocking the user from accessing the application.

Authorization Rules:

Check the issuance authorization rules for the relying party. If you have strict rules set up, it's possible that the user isn't meeting the criteria for token issuance. Make sure to check if all the necessary rules are defined and whether any deny rules are overriding allow rules.

Reply URL Configuration:

Ensure your application's reply URL (Assertion Consumer Service URL) is correctly set up. If the reply URL points to localhost or an incorrect endpoint, Azure AD might not know where to send the token. Double-check the configuration on the Azure side.

Testing SSO:

Utilize the Test SSO feature in the Microsoft Entra admin center for your application. It can provide error resolution guidance tailored to your setup.

If you feel like this might be related to your implementation of the application, please send me your implementation of SAML in your program.cs.

I also suggest posting this problem under Azure and Entra tags to get more insights from this problem.

Feel free to reach out if you have any problems.

Best regards

Verool Kuniyil Shibin 5 Reputation points

2025-06-26T12:11:11.4233333+00:00

Please find my startup.cs code updated on comment section. Please note that i am using ASP.Net framework 4.8 version. I am getting the Successful SAML response but after that page redirects to Access Denied error.
Danny Nguyen (WICLOUD CORPORATION) 410 Reputation points Microsoft External Staff

2025-06-27T04:28:28.5766667+00:00

Hi @Verool Kuniyil Shibin , I believed I was able to recreate your problem. It looks like the MetadataLocation URL might be incorrect. You can find the correct URL in your Microsoft Entra SAML Toolkit under SAML Certificates, labeled as App Federation Metadata Url.

Please make sure to avoid sharing links that may contain sensitive tenant-specific information.

Let me know if you run into any further issues!
Verool Kuniyil Shibin 5 Reputation points

2025-06-27T05:01:52.4666667+00:00

Hi, thanks for responding,
MetadataLocation URL is correct. I had verified that multiple times. I think that's why i got the SAML response XML with authentication success data.
Danny Nguyen (WICLOUD CORPORATION) 410 Reputation points Microsoft External Staff

2025-06-27T05:17:02.97+00:00

Hi @Verool Kuniyil Shibin ,

Thanks for responding, I believe your MetadataLocation Url should include the appid like this "federationmetadata.xml?appid=<ApplicationID>".

Could you verify if your App Federation Metadata Url given by Microsoft Entra SAML Toolkit matches as above?
Danny Nguyen (WICLOUD CORPORATION) 410 Reputation points Microsoft External Staff

2025-06-30T02:25:19.27+00:00

Hi @Verool Kuniyil Shibin , may I ask if the problem has been addressed? I'm ready to help if there's any issue on your end!
Verool Kuniyil Shibin 5 Reputation points

2025-07-04T05:48:36.81+00:00
Thanks Danny for the response. I was able to login successfully after correcting Metadata Url. But now i am facing logout issue. System is not redirecting back to Microsoft login site after clicking on logout button, it just logs out from my application and when i click on login button again it automatically logged in without entering credentials. Session is not clearing at Azure site.

This is the code i am using for logout

Context.GetOwinContext().Authentication.SignOut( new AuthenticationProperties { RedirectUri = "/Saml2/Logout" }, "Saml2", CookieAuthenticationDefaults.AuthenticationType);

will share my saml configuration also

Please let me know the changes needs to be done for logout

Danny Nguyen (WICLOUD CORPORATION) 410 Microsoft External Staff

Hey Verool, I'm glad that we were able to fix the first problem.

As for your specific issue here, I don't think this is the issue with your logout configuration.

You should consider using ForceAuthn in your AuthnRequest . Here's the link to the documentation Single sign-on SAML protocol - Microsoft identity platform | Microsoft Learn

The behaviour is specified likewise:

Parameter	Type	Description
`ForceAuthn`	Optional	This is a boolean value. If true, it means that the user will be forced to reauthenticate, even if they have a valid session with Microsoft Entra ID.

Note: This doesn’t log the user out of their Microsoft account. It simply ensures that they are prompted to reauthenticate every time they log in.

In your case, the configuration should look like so:

var samlOptions = new Saml2AuthenticationOptions(false)
{
	...
};
 
samlOptions.Notifications.AuthenticationRequestCreated = (request, identity, dictionary) =>
{
    request.ForceAuthentication = true;
    // You can also potentially set other properties here, like IsPassive
    // request.IsPassive = true;
};

Please let me know if this works out for you

Danny Nguyen (WICLOUD CORPORATION) 410 Reputation points Microsoft External Staff

2025-07-07T02:27:32.52+00:00

Hey Verool, just reaching out to see if my solution worked out for you?
Danny Nguyen (WICLOUD CORPORATION) 410 Reputation points Microsoft External Staff

2025-07-14T08:01:08.45+00:00

Hey Verool, just checking in the status of this thread, how is the problem on your end so far? Did you manage to find a different solution?

Share via

SAML Access Denied from Azure AD - Localhost Sustainsys Setup

1 answer

Your answer