You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/manage-apps/application-sign-in-problem-federated-sso-gallery.md
+28-1Lines changed: 28 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -157,7 +157,7 @@ Azure AD doesn’t support the SAML request sent by the application for single s
157
157
158
158
The application vendor should validate that they support the Azure AD SAML implementation for single sign-on.
159
159
160
-
## No resource in requiredResourceAccess list
160
+
## Misconfigured application
161
161
162
162
*Error AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant.*.
163
163
@@ -234,6 +234,33 @@ Azure AD wasn’t able to identify the SAML request within the URL parameters in
234
234
235
235
The application needs to send the SAML request encoded into the location header using HTTP redirect binding. For more information about how to implement it, read the section HTTP Redirect Binding in the [SAML protocol specification document](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf).
236
236
237
+
## Azure AD is sending the token to an incorrect endpoint
238
+
239
+
**Possible cause**
240
+
241
+
During single sign-on, if the sign-in request does not contain an explicit reply URL (Assertion Consumer Service URL) then Azure AD will select any of the configured rely URLs for that application. Even if the application has an explicit reply URL configured, the user may be to redirected https://127.0.0.1:444.
242
+
243
+
When the application was added as a non-gallery app, Azure Active Directory created this reply URL as a default value. This behavior has changed and Azure Active Directory no longer adds this URL by default.
244
+
245
+
**Resolution**
246
+
247
+
Delete the unused reply URLs configured for the application.
248
+
249
+
1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator** or **Co-admin**.
250
+
251
+
2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
252
+
253
+
3. Type **“Azure Active Directory"** in the filter search box and select the **Azure Active Directory** item.
254
+
255
+
4. Select **Enterprise Applications** from the Azure Active Directory left-hand navigation menu.
256
+
257
+
5. Select **All Applications** to view a list of all your applications.
258
+
259
+
If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications**.
260
+
261
+
6. Select the application you want to configure for single sign-on.
262
+
263
+
7. Once the application loads, open **Basic SAML configuration**. In the **Reply URL (Assertion Consumer Service URL)**, delete unused or default Reply URLs created by the system. For example, `https://127.0.0.1:444/applications/default.aspx`.
237
264
238
265
## Problem when customizing the SAML claims sent to an application
# Problems signing in to a non-gallery application configured for federated single sign-on
25
25
26
-
To troubleshoot your problem, you need to verify the application configuration in Azure AD as follow:
26
+
To troubleshoot the sign-in issues below, we recommend you follow these suggestion to get better diagnosis and automate the resolution steps:
27
27
28
-
- You have followed all the configuration steps for the Azure AD gallery application.
29
-
30
-
- The Identifier and Reply URL configured in AAD match they expected values in the application
31
-
32
-
- You have assigned users to the application
28
+
- Install the [My Apps Secure Browser Extension](access-panel-extension-problem-installing.md) to help Azure Active Directory (Azure AD) to provide better diagnosis and resolutions when using the testing experience in the Azure portal.
29
+
- Reproduce the error using the testing experience in the app configuration page in the Azure portal. Learn more on [Debug SAML-based single sign-on applications](../develop/howto-v1-debug-saml-sso-issues.md)
33
30
34
31
## Application not found in directory
35
32
@@ -41,7 +38,7 @@ The Issuer attribute sends from the application to Azure AD in the SAML request
41
38
42
39
**Resolution**
43
40
44
-
Ensure that the Issuer attribute in the SAML request it’s matching the Identifier value configured in Azure AD:
41
+
Ensure that the `Issuer` attribute in the SAML request matches the Identifier value configured in Azure AD. If you use the [testing experience](../develop/howto-v1-debug-saml-sso-issues.md) in the Azure portal with the My Apps Secure Browser Extension, you don't need to manually follow these steps.
45
42
46
43
1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator** or **Co-admin.**
47
44
@@ -59,9 +56,7 @@ Ensure that the Issuer attribute in the SAML request it’s matching the Identif
59
56
60
57
7. Once the application loads, click the **Single sign-on** from the application’s left-hand navigation menu.
61
58
62
-
8. <spanid="_Hlk477190042"class="anchor"></span>Go to **Domain and URLs** section. Verify that the value in the Identifier textbox is matching the value for the identifier value displayed in the error.
63
-
64
-
After you have updated the Identifier value in Azure AD and it’s matching the value sends by the application in the SAML request, you should be able to sign in to the application.
59
+
8. Once the application loads, open **Basic SAML configuration**. Verify that the value in the Identifier textbox matches the value for the identifier value displayed in the error.
65
60
66
61
## The reply address does not match the reply addresses configured for the application.
67
62
@@ -73,7 +68,7 @@ The AssertionConsumerServiceURL value in the SAML request doesn't match the Repl
73
68
74
69
**Resolution**
75
70
76
-
Ensure that the AssertionConsumerServiceURL value in the SAML request it's matching the Reply URL value configured in Azure AD.
71
+
Ensure that the `Issuer` attribute in the SAML request matches the Identifier value configured in Azure AD. If you use the [testing experience](../develop/howto-v1-debug-saml-sso-issues.md) in the Azure portal with the My Apps Secure Browser Extension, you don't need to manually follow these steps.
77
72
78
73
1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator** or **Co-admin.**
79
74
@@ -91,11 +86,9 @@ Ensure that the AssertionConsumerServiceURL value in the SAML request it's match
91
86
92
87
7. Once the application loads, click the **Single sign-on** from the application’s left-hand navigation menu.
93
88
94
-
8. Go to **Domain and URLs** section. Verify or update the value in the Reply URL textbox to match the AssertionConsumerServiceURL value in the SAML request.
95
-
96
-
* If you don't see the Reply URL textbox, select the **Show advanced URL settings** checkbox.
97
-
98
-
After you have updated the Reply URL value in Azure AD and it’s matching the value sends by the application in the SAML request, you should be able to sign in to the application.
89
+
8. Once the application loads, open **Basic SAML configuration**. Verify or update the value in the Reply URL textbox to match the `AssertionConsumerServiceURL` value in the SAML request.
90
+
91
+
After you've updated the Reply URL value in Azure AD, and it matches the value sent by the application in the SAML request, you should be able to sign in to the application.
99
92
100
93
## User not assigned a role
101
94
@@ -107,7 +100,7 @@ The user has not been granted access to the application in Azure AD.
107
100
108
101
**Resolution**
109
102
110
-
To assign one or more users to an application directly, follow the steps below:
103
+
To assign one or more users to an application directly, follow the steps below. If you use the [testing experience](../develop/howto-v1-debug-saml-sso-issues.md) in the Azure portal with the My Apps Secure Browser Extension, you don't need to manually follow these steps.
111
104
112
105
1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
113
106
@@ -165,39 +158,35 @@ Azure AD doesn’t support the SAML Request sent by the application for Single S
165
158
166
159
-[Azure AD Single Sign-on SAML protocol requirements](https://docs.microsoft.com/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference)
167
160
168
-
They should validate they support the Azure AD SAML implementation for Single Sign-on.
161
+
The application vendor should validate that they support the Azure AD SAML implementation for single sign-on.
169
162
170
-
## No resource in requiredResourceAccess list
163
+
## Misconfigured application
171
164
172
-
*Error AADSTS65005: The client application has requested access to resource '00000002-0000-0000-c000-000000000000'. This request has failed because the clienthas not specified this resource in its requiredResourceAccess list*.
165
+
*Error AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant.*.
173
166
174
167
**Possible cause**
175
168
176
-
The application object is corrupted.
169
+
The `Issuer` attribute sent from the application to Azure AD in the SAML request doesn’t match the Identifier value configured for the application in Azure AD.
177
170
178
171
**Resolution**
179
172
180
-
To solve the problem, remove the application from the directory. Then, add and reconfigure the application, follow the steps below:
173
+
Ensure that the `Issuer` attribute in the SAML request matches the Identifier value configured in Azure AD. If you use the [testing experience](../develop/howto-v1-debug-saml-sso-issues.md) in the Azure portal with the My Apps Secure Browser Extension, you don't need to manually follow these steps:
181
174
182
-
1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator** or **Co-admin.**
183
-
184
-
2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
185
-
186
-
3. Type in **“Azure Active Directory**” in the filter search box and select the **Azure Active Directory** item.
175
+
1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator** or **Co-admin**.
187
176
188
-
4.click **Enterprise Applications**from the Azure Active Directory left-hand navigation menu.
177
+
1.Open the **Azure Active Directory Extension**by selecting **All services** at the top of the main left-hand navigation menu.
189
178
190
-
5.click**All Applications**to view a list of all your applications.
179
+
1.Type**“Azure Active Directory"**in the filter search box and select the **Azure Active Directory** item.
191
180
192
-
* If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List**and set the **Show** option to **All Applications.**
181
+
1. Select **Enterprise Applications**from the Azure Active Directory left-hand navigation menu.
193
182
194
-
6. Select the application you want to configure single sign-on.
183
+
1. Select **All Applications** to view a list of all your applications.
195
184
196
-
7. Click **Delete** at the top-left of the application **Overview** pane.
185
+
If you do not see the application you want show up here, use the **Filter**control at the top of the **All Applications List** and set the **Show** option to **All Applications**.
197
186
198
-
8.Refresh Azure AD and Add the application from the Azure AD gallery. Then, Configure the application again.
187
+
1.Select the application you want to configure for single sign-on.
199
188
200
-
After reconfiguring the application, you should be able to sign in to the application.
189
+
1. Once the application loads, open **Basic SAML configuration**. Verify that the value in the Identifier textbox matches the value for the identifier value displayed in the error.
201
190
202
191
## Certificate or key not configured
203
192
@@ -235,6 +224,48 @@ To delete and create a new certificate, follow the steps below:
235
224
236
225
11. Under the **SAML Signing Certificate** section, click **remove** to remove the **Unused** certificate.
237
226
227
+
## SAML Request not present in the request
228
+
229
+
*Error AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding.*
230
+
231
+
**Possible cause**
232
+
233
+
Azure AD wasn’t able to identify the SAML request within the URL parameters in the HTTP request. This can happen if the application is not using HTTP redirect binding when sending the SAML request to Azure AD.
234
+
235
+
**Resolution**
236
+
237
+
The application needs to send the SAML request encoded into the location header using HTTP redirect binding. For more information about how to implement it, read the section HTTP Redirect Binding in the [SAML protocol specification document](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf).
238
+
239
+
## Azure AD is sending the token to an incorrect endpoint
240
+
241
+
**Possible cause**
242
+
243
+
During single sign-on, if the sign-in request does not contain an explicit reply URL (Assertion Consumer Service URL) then Azure AD will select any of the configured rely URLs for that application. Even if the application has an explicit reply URL configured, the user may be to redirected https://127.0.0.1:444.
244
+
245
+
When the application was added as a non-gallery app, Azure Active Directory created this reply URL as a default value. This behavior has changed and Azure Active Directory no longer adds this URL by default.
246
+
247
+
**Resolution**
248
+
249
+
Delete the unused reply URLs configured for the application.
250
+
251
+
1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator** or **Co-admin**.
252
+
253
+
2. Open the **Azure Active Directory Extension** by selecting **All services** at the top of the main left-hand navigation menu.
254
+
255
+
3. Type **“Azure Active Directory"** in the filter search box and select the **Azure Active Directory** item.
256
+
257
+
4. Select **Enterprise Applications** from the Azure Active Directory left-hand navigation menu.
258
+
259
+
5. Select **All Applications** to view a list of all your applications.
260
+
261
+
If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications**.
262
+
263
+
6. Select the application you want to configure for single sign-on.
264
+
265
+
7. Once the application loads, open **Basic SAML configuration**. In the **Reply URL (Assertion Consumer Service URL)**, delete unused or default Reply URLs created by the system. For example, `https://127.0.0.1:444/applications/default.aspx`.
266
+
267
+
268
+
238
269
## Problem when customizing the SAML claims sent to an application
239
270
240
271
To learn how to customize the SAML attribute claims sent to your application, see [Claims mapping in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-claims-mapping) for more information.
0 commit comments