Error: AADSTS500089: SAML 2.0 assertion validation failed: SAML token is invalid

Secfense 21 Reputation points

Hi, I am getting following error message while trying to login via SAML, can you please help me identify the root cause?

"title": "Something went wrong",
"subtitle": "Refresh the page to try again.",
"message": "Error: AADSTS500089: SAML 2.0 assertion validation failed: SAML token is invalid.\r\nTrace ID: 668be611-c538-4c2b-9d05-f45d4aa29300\r\nCorrelation ID: b1bdad35-ffb2-4a7f-a203-6ea93c89427f\r\nTimestamp: 2022-02-03 17:41:25Z {\n \"componentStack\": \"\n in Unknown\n in Unknown\n in S\n in n\"\n}"

Thanks in advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,882 questions
0 comments No comments
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,571 Reputation points

    Hello @Secfense ,

    Thanks for reaching out.

    By tracking the details from the backend for your tenant based on the correlation ID and the timeframe of the error you have provided, I can see incorrect audience sent in the SAML token like "aud":[""] , but it must be urn:federation:MicrosoftOnline. So, could you please check what value was specified in your Identity provider's identity field (aks RealmID or entityID ) in your identity provider? also would request you to validate your identity provider compatibility with Azure AD since you are using Non-Microsoft identity provider for federation with Azure AD.

    Additionally, ensure that your identity provider is sending proper values in the following fields in the token IssueInstant , NotBefore , saml:Audience as shown below. Also, make sure identity provider is using the right key algorithm for signing token like RSA. Here's sample-token.xml for reference which you can use to compare non-working token. For detailed information about compatibility, see Azure AD federation compatibility list and Azure AD identity provider compatibility docs. Hope this helps.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful