Error: AADSTS500089: SAML 2.0 assertion validation failed: SAML token is invalid

Secfense 21 Reputation points
2022-02-03T17:53:56.073+00:00

Hi, I am getting following error message while trying to login via SAML, can you please help me identify the root cause?

{
"title": "Something went wrong",
"subtitle": "Refresh the page to try again.",
"message": "Error: AADSTS500089: SAML 2.0 assertion validation failed: SAML token is invalid.\r\nTrace ID: 668be611-c538-4c2b-9d05-f45d4aa29300\r\nCorrelation ID: b1bdad35-ffb2-4a7f-a203-6ea93c89427f\r\nTimestamp: 2022-02-03 17:41:25Z {\n \"componentStack\": \"\n in Unknown\n in Unknown\n in S\n in n\"\n}"
}

Thanks in advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,882 questions
0 comments No comments
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,571 Reputation points
    2022-02-04T19:56:31.727+00:00

    Hello @Secfense ,

    Thanks for reaching out.

    By tracking the details from the backend for your tenant based on the correlation ID and the timeframe of the error you have provided, I can see incorrect audience sent in the SAML token like "aud":["https://login.microsoftonline.com/login.srf"] , but it must be urn:federation:MicrosoftOnline. So, could you please check what value was specified in your Identity provider's identity field (aks RealmID or entityID ) in your identity provider? also would request you to validate your identity provider compatibility with Azure AD since you are using Non-Microsoft identity provider for federation with Azure AD.

    Additionally, ensure that your identity provider is sending proper values in the following fields in the token IssueInstant , NotBefore , saml:Audience as shown below. Also, make sure identity provider is using the right key algorithm for signing token like RSA. Here's sample-token.xml for reference which you can use to compare non-working token. For detailed information about compatibility, see Azure AD federation compatibility list and Azure AD identity provider compatibility docs. Hope this helps.

    171505-image.png

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful