问题
I keep getting "AADSTS75005: The request is not a valid Saml2 protocol message." when I try to send an AuthnRequest to Azure AD/idp.
The XML looks like this before I zip it, convert to base64string and url encode the message.
<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="ide13dd575-3f6c-4131-9b9d-e12c644cf18f" Version="2.0" IssueInstant="2016-11-14T14:28:27.5450323Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">{homepage url registered in azure app registrations}</Issuer></samlp:AuthnRequest>
the user is being redirect to https://login.microsoftonline.com/{SAML-P Sign-On Endpoint from endpoints in app in azure}/saml2?SAMLRequest={encoded saml request removed}
The same works when I send it to an other SAML2 idp (which use SimpleSAMLphp)
the web browser will be redirect to https://login.windows.net/{endpoint id}/saml2?SAMLRequest=jZBLasMwFEW3YjRXbKny72EbAqVgaCkkbQedBEVWiKktuXrP%2faytgy6pW6hJhoXQ6YV7OPf%2bfH1XqMdhgvVMR7exr7NFij7GwWHN5uDAa%2bwRnB4tAhnYru9uQa4SGC3pTpNmUXtds77rrCjy9KB4LpXian%2bV8aJLUl6Wpdknytg0y1n0ZAP23tVsQSxNxNm2Dkk7WqJEZFwILtSDlCBSkHIlZCbLtHhmZyU4uV4Wm4Inb%2fzAmurED%2f9ZoxFtoMWMNUeiCSGOx8%2fHTbu78WG3JW1e7t9sOAz%2bvYrP1KaK%2fx7X%2fAI%3d
回答1:
As @Steve already mentioned above, the problem seems to be with the way you are deflating/encoding the AuthenticationRequest. Try using the sample code at https://stackoverflow.com/a/25155050/983244, assuming that you are using .NET ( You mentioned DeflateStream ).
I would also clear out the namespace declarations so that your AuthnRequest looks like
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ide13dd575-3f6c-4131-9b9d-e12c644cf18f"
Version="2.0"
IssueInstant="2016-11-14T14:28:27.5450323Z">
<saml:Issuer>{homepage url registered in azure app registrations}</saml:Issuer>
</samlp:AuthnRequest>
回答2:
I found the problem to this. I created the app in the new azure portal. It show the endpoint to be https://login.windows.net/{myid}/saml2
I created a new app in the old portal and now it shows the endpoint to be https://login.microsoftonline.com/{myid}/saml2
If I look at the both apps created (one in the new and one in the old portal) in the old portal, it show https://login.microsoftonline.com/{myid}/saml2
if I do the same in the new portal, it shows https://login.windows.net/{myid}/saml2 on both aps.
So there was not any error with my code, but the Azure AD portal is reporting invalid endpoints in the new portal.
来源:https://stackoverflow.com/questions/40591257/correct-authnrequest-to-azure-ad-idp