Azure Error: AADSTS500089: SAML 2.0 assertion validation failed: SAML token is invalid.

KF 51 Reputation points
2022-03-18T01:05:25.087+00:00

When attempting to access Azure Portal (here as SP) using SSP SAML 2.0 assertion response from a third-party IdP, Azure throws the persistent error:
Request Id: 74a97af3-2b70-4802-8793-bf7a60ba0a00
Correlation Id: 6c105314-b07e-43c0-a870-bb5750606191
Timestamp: 2022-03-18T00:33:21Z
Message: AADSTS500089: SAML 2.0 assertion validation failed: SAML token is invalid.

However when checking the Sign-in Log, it shows successful login!
as follows:

Date 18.3.2022, 01:30:51
Request ID a1486ae0-86be-4e32-b147-f830fd631d00
Correlation ID fa933774-c078-495f-b9ad-7fd59107d1bb
Authentication requirement
Single-factor authentication
Status Success
Continuous access evaluation No
Troubleshoot Event
Follow these steps:
Launch the Sign-in Diagnostic.
Review the diagnosis and act on suggested fixes.
User user1Azure1
Username user1azure1@xxxxxxxxxxxxx .onmicrosoft.com
User ID 73e9226f-af71-4003-a930-13f21d442a35
Sign-in identifier user1Azure1@xxxxxxxxxxxxx .onmicrosoft.com
User type Member
Cross tenant access type None
Application AuthPoint
Application ID 2af541a1-2610-4f3f-ae8c-cbe7ec51d909
Resource Microsoft Graph
Resource ID 00000003-0000-0000-c000-000000000000
Resource tenant ID 812a91a9-b623-4196-ac35-0efdc5444bc5
Home tenant ID 812a91a9-b623-4196-ac35-0efdc5444bc5
Home tenant name Client app
Mobile Apps and Desktop clients
Service principal ID
Service principal name
Resource service principal ID 3d489feb-76fb-4582-a3ed-4d841d003df2
Unique token identifier YTE0ODZhZTAtODZiZS00ZTMyLWIxNDctZjgzMGZkNjMxZDAw
Token issuer type Azure AD
Token issuer name Incoming token type None
Authentication Protocol ROPC
Latency 103ms
Flagged for review No
User agent java/11.0.3

Thanks for every help!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,909 questions
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,571 Reputation points
    2022-03-22T11:50:54.6+00:00

    Hi @KF ,

    Thank you for your query. From your query, I understand that you are getting AADSTS500089 error when attempting to access Azure Portal using SAML 2.0 SSO with Azure AD from from a third-party IdP.

    By tracking the details from the backend for your tenant based on the correlation ID and the timeframe of the error you have provided, I can see incorrect audience sent by your IDP "iss":"https://##.authpoint.cloud.watchguard.com/ACC-1####81" in the SAML token like "aud":["https://login.microsoftonline.com/812a###9-b623-####-ac35-0efdc###c5/"] , but it must be urn:federation:MicrosoftOnline. So, could you please check what value was specified in your Identity provider's identity field (aks RealmID or entityID ) in your identity provider? also would request you to validate your identity provider compatibility with Azure AD since you are using Non-Microsoft identity provider for federation with Azure AD.

    Additionally, ensure that your identity provider is sending proper values in the following fields in the token IssueInstant , NotBefore , saml:Audience as shown below. Also, make sure identity provider is using the right key algorithm for signing token like RSA. Here's sample-token.xml for reference which you can use to compare non-working token. For detailed information about compatibility, see Azure AD federation compatibility list and Azure AD identity provider compatibility docs. Hope this helps.

    171505-image.png

    Hope this helps.

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. KF 51 Reputation points
    2022-03-23T21:10:23.643+00:00

    Thank you @sikumars-msft for your detailed information.
    There is no problem with the user accessing with their MFA credentials (incl. the token)
    However, when I enter the value you specified: "urn:federation:MicrosoftOnline" into the field SP Entity ID and use it to access Azure Portal as a SP, I find my self inside the Office365 platform (!) which is not the required destination! The required destination is the Azure platform. From there on, the authenticated user should select the services he/she would like to use.

    There must be a unique Entity-ID one that accesses Azure and another that accesses Office 365. But here we have identical Entity-IDs, so there must be a differentiating field. That's why I selected the value: ""https://login.microsoftonline.com/812a###9-b623-####-ac35-0efdc###c5/" which you rejected.

    to access Azure indecently from Office 365, 2 values should be unique:
    1- Service Provider Entity ID
    2- Assertion Consumer Service (ACS)

    My question is: How can I access the Azure platform independently from Office365 using the above two values?

    Thank you for your support and efforts.