After further debugging we have found out that Azure AD does NOT support "Compressed SAML Authentication Requests".
Ones we have turned this feature OFF on our side, SSO with SAML started to work as expected.
Azure AD SAML2 request rejected: AADSTS7500525
our SAML request (btw, works with other 10+ SDAML 2 IdP providers) is rejected by Azure AD IdP:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://????.ngrok.io/clinspark/sso/acs" Destination="https://login.microsoftonline.com/dbc????/saml2" ForceAuthn="false" ID="CS_8db18af8-7aaf-420a-9f64-cb0e15418e31" IssueInstant="2021-03-01T16:03:53Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml:Issuer>https://sts.windows.net/dbc34791-87a3-4631-95b9-8198b33a9e23/</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#CS_8db18af8-7aaf-420a-9f64-cb0e15418e31">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>...</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Getting an error:
Request Id: 57aec4e4-be0d-458b-836b-439ca35c6300
Correlation Id: 10efa970-908a-4cc5-b63d-69bb7022c5bb
Timestamp: 2021-03-01T16:20:26Z
Message: AADSTS7500525: There was an XML error in the SAML message at line 1, position 1. Verify that the XML content of the SAML messages conforms to the SAML protocol specifications.
Advanced diagnostics: Disable
Any help would be appreciated!
-
Roman Kuzmik 101 Reputation points
2021-03-03T14:22:59.177+00:00
1 additional answer
Sort by: Most helpful
-
Wes 1 Reputation point
2021-06-04T23:05:16.987+00:00 Was that on a POST binding, and if the AuthnRequest were base64 encoded, would that also explain it?