question

RomanKuzmik avatar image
0 Votes"
RomanKuzmik asked MuhammadQadir-1986 commented

Azure AD SAML2 request rejected: AADSTS7500525

our SAML request (btw, works with other 10+ SDAML 2 IdP providers) is rejected by Azure AD IdP:

 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <samlp:AuthnRequest
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://????.ngrok.io/clinspark/sso/acs" Destination="https://login.microsoftonline.com/dbc????/saml2" ForceAuthn="false" ID="CS_8db18af8-7aaf-420a-9f64-cb0e15418e31" IssueInstant="2021-03-01T16:03:53Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
     <saml:Issuer>https://sts.windows.net/dbc34791-87a3-4631-95b9-8198b33a9e23/</saml:Issuer>
     <ds:Signature
         xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
             <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
             <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
             <ds:Reference URI="#CS_8db18af8-7aaf-420a-9f64-cb0e15418e31">
                 <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                 </ds:Transforms>
                 <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                 <ds:DigestValue>...</ds:DigestValue>
             </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>...</ds:SignatureValue>
         <ds:KeyInfo>
             <ds:KeyValue>
                 <ds:RSAKeyValue>
                     <ds:Modulus>...</ds:Modulus>
                     <ds:Exponent>AQAB</ds:Exponent>
                 </ds:RSAKeyValue>
             </ds:KeyValue>
             <ds:X509Data>
                 <ds:X509Certificate>...</ds:X509Certificate>
             </ds:X509Data>
         </ds:KeyInfo>
     </ds:Signature>
     <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
     <samlp:RequestedAuthnContext Comparison="exact">
         <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
     </samlp:RequestedAuthnContext>
 </samlp:AuthnRequest>

Getting an error:

Request Id: 57aec4e4-be0d-458b-836b-439ca35c6300
Correlation Id: 10efa970-908a-4cc5-b63d-69bb7022c5bb
Timestamp: 2021-03-01T16:20:26Z
Message: AADSTS7500525: There was an XML error in the SAML message at line 1, position 1. Verify that the XML content of the SAML messages conforms to the SAML protocol specifications.
Advanced diagnostics: Disable

Any help would be appreciated!

azure-ad-saml-sso
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @RomanKuzmik-0458 , this most likely will require a support ticket. However, some users have found this page helpful in solving their issues with this error message. Please let me know if anything from there works for you. If not, I will set you up with a free support request.

Best,
James


0 Votes 0 ·

yes, please, link above does not provide an answer on why valid SAML request is rejected by Azure AD. We know 100% request is valid, it passed validation on many different platforms.
we would love to understand why request is rejected so we can integrate our customers with Azure AD.

0 Votes 0 ·
RomanKuzmik avatar image
0 Votes"
RomanKuzmik answered MuhammadQadir-1986 commented

After further debugging we have found out that Azure AD does NOT support "Compressed SAML Authentication Requests".
Ones we have turned this feature OFF on our side, SSO with SAML started to work as expected.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Kindly provide how to turn of this feature in postman

0 Votes 0 ·
wes-jones avatar image
0 Votes"
wes-jones answered wes-jones published

Was that on a POST binding, and if the AuthnRequest were base64 encoded, would that also explain it?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.