question

JaparJarkynbyek-2351 avatar image
0 Votes"
JaparJarkynbyek-2351 asked ·

AADSTS900236: The SAML authentication request property 'Scoping/ProxyCount' is not supported and must not be set.

Hello I am building SAML SSO with Azure AD Non-gallery Application. My SP side is built by Spring Boot. When I send SSO Login request to Azure AD I did received following error:

18292-image.png


I copied trouble shooting details and pasted into Azure test side. And I got following resolution which is non sensible:

Root cause: Unsupported authentication context compare in the signing request (SAML request)
Resolution:
Azure AD only supports Auth context compare equal to “exact”. You need to work with the service provider to change the comparison method to “exact” or remove the comparison option from the RequestedAuthContext element.

18263-image.png

Can anybody help me solving this problem?

azure-active-directoryazure-ad-single-sign-onazure-ad-app-developmentazure-app-configurationazure-spring-cloud
image.png (79.2 KiB)
image.png (34.3 KiB)
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@JaparJarkynbyek-2351, Thank you for reaching out. This error is coming up due to a non-supported value being set for the scoping element in the AuthnRequest. The following values for the scoping element are not supported by AAD.

  • ProxyCount attribute

  • IDPListOption

  • RequesterID element

You can refer to this extract of the nonsupported saml authnRequest for your reference:

   <saml:Issuer>https://terena.org/sp</saml:Issuer>
   <samlp:NameIDPolicy
 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
 AllowCreate="true"/>
   <samlp:Scoping>
     <samlp:RequesterID>https://eventr.geant.org/mellon/metadata</samlp:RequesterID> ----> <samlp:RequesterID> Not supported
   </samlp:Scoping>
 </samlp:AuthnRequest>

Moreover, the Scoping element, which includes a list of identity providers, is optional in AuthnRequest elements, You can try removing this from your AuthnRequest and then give it a try.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.








· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hii @soumi-MSFT

Thank you very much for your quick response. I did resolved my problem removing entire <samlp:Scoping> element.

0 Votes 0 ·