Azure AD SAML2 request rejected: AADSTS7500525

Roman Kuzmik 101 Reputation points
2021-03-01T17:06:53.407+00:00

our SAML request (btw, works with other 10+ SDAML 2 IdP providers) is rejected by Azure AD IdP:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://????.ngrok.io/clinspark/sso/acs" Destination="https://login.microsoftonline.com/dbc????/saml2" ForceAuthn="false" ID="CS_8db18af8-7aaf-420a-9f64-cb0e15418e31" IssueInstant="2021-03-01T16:03:53Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
    <saml:Issuer>https://sts.windows.net/dbc34791-87a3-4631-95b9-8198b33a9e23/</saml:Issuer>
    <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#CS_8db18af8-7aaf-420a-9f64-cb0e15418e31">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>...</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:KeyValue>
                <ds:RSAKeyValue>
                    <ds:Modulus>...</ds:Modulus>
                    <ds:Exponent>AQAB</ds:Exponent>
                </ds:RSAKeyValue>
            </ds:KeyValue>
            <ds:X509Data>
                <ds:X509Certificate>...</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Getting an error:

Request Id: 57aec4e4-be0d-458b-836b-439ca35c6300
Correlation Id: 10efa970-908a-4cc5-b63d-69bb7022c5bb
Timestamp: 2021-03-01T16:20:26Z
Message: AADSTS7500525: There was an XML error in the SAML message at line 1, position 1. Verify that the XML content of the SAML messages conforms to the SAML protocol specifications.
Advanced diagnostics: Disable

Any help would be appreciated!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,168 questions
{count} vote

Accepted answer
  1. Roman Kuzmik 101 Reputation points
    2021-03-03T14:22:59.177+00:00

    After further debugging we have found out that Azure AD does NOT support "Compressed SAML Authentication Requests".
    Ones we have turned this feature OFF on our side, SSO with SAML started to work as expected.


1 additional answer

Sort by: Most helpful
  1. Wes 1 Reputation point
    2021-06-04T23:05:16.987+00:00

    Was that on a POST binding, and if the AuthnRequest were base64 encoded, would that also explain it?

    0 comments No comments