question

NickErdos-2232 avatar image
0 Votes"
NickErdos-2232 asked vipulsparsh-MSFT commented

AADSTS750056: SAML message was not properly base64-encoded error for SAML application

An application is experiencing the below error when configured with SP-initiated SAML SSO in Azure AD:

AADSTS750056: SAML message was not properly base64-encoded

The Azure resolution information is not very helpful, just says to make sure it is encoded properly on the vendor side and to make sure all required attributes are present. However, IDP-initiated SSO is working fine. Is there a more detailed explanation of what the vendor should be looking at? They are claiming it is properly encoded, however the message doesn't indicate that.

azure-active-directory
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@NickErdos-2232,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,

0 Votes 0 ·

@NickErdos-2232,
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue? Thank you for your time and patience throughout this issue.
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

@NickErdos-2232 I just wanted to check in and see if you had any other questions or if you were able to resolve this issue? If you have any other questions, please let us know.
Thank you for your time and patience throughout this issue.

=========================================================================================================
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

1 Answer

sikumars avatar image
1 Vote"
sikumars answered

Hello @NickErdos-2232 ,

Thanks for reaching out.

Could you please confirm, what type of HTTP call being used by your application to sent SAMLRequest (aka AuthNRequest) to Azure AD, either HTTP-Redirect or HTTP-POST ?

You can identity this by looking at SAMLRequest from HTTP call which done by your application, if you see HTTP 302 call and SAMLRequest sent in query string then your app using HTTP-Redirect which is most commonly used scenario.

Example: https://login.microsoftonline.com/tenant-id/saml2?SAMLRequest=###SAMLRequst####

Instead, you see HTTP POST call and SAMLRequest sent in body then your application using HTTP POST.

Here are sample for both of them:

This is my AuthRequest for test app:

 <samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="F84D888AA3B44C1B844375A4E8210D9E" Version="2.0" IssueInstant="2021-10-07T08:10:24.669Z" IsPassive="false" AssertionConsumerServiceURL="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ForceAuthn="false"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:3000/saml/metadata</Issuer></samlp:AuthnRequest>

HTTP-Redirect- binding:

First, AuthenRequest need to be Deflate + Base64 Encode and then URLEncode. I used onlinetool to get Deflate + Base64 Encode value and then used URL Encoder.

Deflate + Base64 Encode value:

 jZHLasMwEEV/xWgfS340UYRtcF4QSKEkaSndCWeCTfVwNXJo/76Ki1eF0u0wc7jnToFSq17Ug2/NET4GQB99amWwJIMzwkrsUBipAYVvxKl+PIg0ZkKDlxfpJYn2m5LseL7hnNd1tsrzdbLieZ4tHup8y9OEbZZbEr2Aw86akoTjcIM4wN6gl8aHEUuTWcJmbHFmXCRMpHk8ny/f7ntPErG7QUmuUiGQqEYE5wNpbQ0OGtwJ3K1r4Pl4KEnrfY+CUnm5Yguqj3XXOIv26uPGarpWstP46uQXPdt3CLrYB0qgjsJibOJv7d5ZbxurSLSzroGxtSlbVYxa7j/1yUmDVFNoZRupWoteZIwxeg9Dp5YL+oOuCvr7XdU3

URLEncoded above value:

 jZHLasMwEEV%2FxWgfS340UYRtcF4QSKEkaSndCWeCTfVwNXJo%2F76Ki1eF0u0wc7jnToFSq17Ug2%2FNET4GQB99amWwJIMzwkrsUBipAYVvxKl%2BPIg0ZkKDlxfpJYn2m5LseL7hnNd1tsrzdbLieZ4tHup8y9OEbZZbEr2Aw86akoTjcIM4wN6gl8aHEUuTWcJmbHFmXCRMpHk8ny%2Ff7ntPErG7QUmuUiGQqEYE5wNpbQ0OGtwJ3K1r4Pl4KEnrfY%2BCUnm5Yguqj3XXOIv26uPGarpWstP46uQXPdt3CLrYB0qgjsJibOJv7d5ZbxurSLSzroGxtSlbVYxa7j%2F1yUmDVFNoZRupWoteZIwxeg9Dp5YL%2BoOuCvr7XdU3

Final result would be added in SAMLRequest HTTP query string as shown below:

https://login.microsoftonline.com/cb35203e-6560-4d6a-a352-6758b354ff1a/saml2?SAMLRequest=jZHLasMwEEV%2FxWgfS340UYRtcF4QSKEkaSndCWeCTfVwNXJo%2F76Ki1eF0u0wc7jnToFSq17Ug2%2FNET4GQB99amWwJIMzwkrsUBipAYVvxKl%2BPIg0ZkKDlxfpJYn2m5LseL7hnNd1tsrzdbLieZ4tHup8y9OEbZZbEr2Aw86akoTjcIM4wN6gl8aHEUuTWcJmbHFmXCRMpHk8ny%2Ff7ntPErG7QUmuUiGQqEYE5wNpbQ0OGtwJ3K1r4Pl4KEnrfY%2BCUnm5Yguqj3XXOIv26uPGarpWstP46uQXPdt3CLrYB0qgjsJibOJv7d5ZbxurSLSzroGxtSlbVYxa7j%2F1yUmDVFNoZRupWoteZIwxeg9Dp5YL%2BoOuCvr7XdU3


HTTP-POST- binding:

AuthnRequest need to be Base64 Encode directly and sent in HTTP POST call.

 PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm1ldGFkYXRhIiBJRD0iRjg0RDg4OEFBM0I0NEMxQjg0NDM3NUE0RTgyMTBEOUUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDIxLTEwLTA3VDA4OjEwOjI0LjY2OVoiIElzUGFzc2l2ZT0iZmFsc2UiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cHM6Ly9hZGZzaGVscC5taWNyb3NvZnQuY29tL0NsYWltc1hyYXkvVG9rZW5SZXNwb25zZSIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRm9yY2VBdXRobj0iZmFsc2UiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vbG9jYWxob3N0OjMwMDAvc2FtbC9tZXRhZGF0YTwvSXNzdWVyPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg==


138534-image.png

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (243.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.