Correct AuthnRequest to Azure AD/idp

0
votes

I keep getting "AADSTS75005: The request is not a valid Saml2 protocol message." when I try to send an AuthnRequest to Azure AD/idp.

The XML looks like this before I zip it, convert to base64string and url encode the message.

<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="ide13dd575-3f6c-4131-9b9d-e12c644cf18f" Version="2.0" IssueInstant="2016-11-14T14:28:27.5450323Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">{homepage url registered in azure app registrations}</Issuer></samlp:AuthnRequest>

the user is being redirect to https://login.microsoftonline.com/{SAML-P Sign-On Endpoint from endpoints in app in azure}/saml2?SAMLRequest={encoded saml request removed}

The same works when I send it to an other SAML2 idp (which use SimpleSAMLphp)

the web browser will be redirect to https://login.windows.net/{endpoint id}/saml2?SAMLRequest=jZBLasMwFEW3YjRXbKny72EbAqVgaCkkbQedBEVWiKktuXrP%2faytgy6pW6hJhoXQ6YV7OPf%2bfH1XqMdhgvVMR7exr7NFij7GwWHN5uDAa%2bwRnB4tAhnYru9uQa4SGC3pTpNmUXtds77rrCjy9KB4LpXian%2bV8aJLUl6Wpdknytg0y1n0ZAP23tVsQSxNxNm2Dkk7WqJEZFwILtSDlCBSkHIlZCbLtHhmZyU4uV4Wm4Inb%2fzAmurED%2f9ZoxFtoMWMNUeiCSGOx8%2fHTbu78WG3JW1e7t9sOAz%2bvYrP1KaK%2fx7X%2fAI%3d

2
azuresaml-2.0
How are you zipping it? Are you building this request manually, or using a third party library to handle it? Can you provide a sample of the encoded request?Steve
You mention a homepage URL, but that is supposed to be the Application ID URI. Make sure that is correct, and if that is correct there could something wrong with the way you are submitting the request.juunas
Steve: I'm using DeflateStream(output, CompressionMode.Compress) to compress it. I'm building the request manually, not using any library. Will update with the question with a encoded request. Juumas: I have tried different URIs. application Id (which is just a Guid), Homepage URL (I guess this is where the authentication response will be posted). The request I just send with a query string parameter.Mr Zach

2 Answers

0
votes

As @Steve already mentioned above, the problem seems to be with the way you are deflating/encoding the AuthenticationRequest. Try using the sample code at https://stackoverflow.com/a/25155050/983244, assuming that you are using .NET ( You mentioned DeflateStream ).

I would also clear out the namespace declarations so that your AuthnRequest looks like 

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="ide13dd575-3f6c-4131-9b9d-e12c644cf18f"
                    Version="2.0" 
                    IssueInstant="2016-11-14T14:28:27.5450323Z">
    <saml:Issuer>{homepage url registered in azure app registrations}</saml:Issuer>
</samlp:AuthnRequest>
0
votes

I found the problem to this. I created the app in the new azure portal. It show the endpoint to be https://login.windows.net/{myid}/saml2

I created a new app in the old portal and now it shows the endpoint to be https://login.microsoftonline.com/{myid}/saml2

If I look at the both apps created (one in the new and one in the old portal) in the old portal, it show https://login.microsoftonline.com/{myid}/saml2

if I do the same in the new portal, it shows https://login.windows.net/{myid}/saml2 on both aps.

So there was not any error with my code, but the Azure AD portal is reporting invalid endpoints in the new portal.

enter image description here