How to Resolve the AADSTS750032 Error of Microsoft Entra ID

Overview

This article explains how to resolve the AADSTS750032 error when Auth0 is the SAML service provider and Microsoft Entra ID is the SAML Identity provider.

The exact error thrown by Entra ID:

AADSTS750032: SAML protocol response cannot be sent via bindings other than HTTP POST. Requested binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

Applies To

• Microsoft Entra ID
• SAML
• AADSTS750032

Cause

This error indicates that the SAML service provider (Auth0) in the AuthN request asks Microsoft Entra ID to return the SAML response as a query parameter.

Microsoft Entra ID only supports sending SAML responses in the post-body payload, so it expects that if the ProtocolBinding is sent in the AuthN payload, it has to be set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

In the following use case, Auth0 sends ProtocolBinding set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect in the AuthN request, which can cause the error.

1. In the request template in the SAML enterprise connection, an overwrite was set for the ProtocolBinding to be HTTP-Redirect, E.g.

   <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
       ForceAuthn="true"
       ID="@@ID@@"
       IsPassive="false"
       IssueInstant="@@IssueInstant@@"
       ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
       Version="2.0">
       <saml:Issuer  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer>
   </samlp:AuthnRequest>
   

2. The Protocol Binding option of the SAML enterprise connection was set to HTTP-Redirect, and the Request Template has the default template where ProtocolBinding was set to @@ProtocolBinding@@
   
   

   1.jpeg1198×1062 82.1 KB

Solution

1. If the connection’s Protocol Binding option has to be set to HTTP-Redirect, in the Request Template, set the ProtocolBinding to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST​​​​​​.

   <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
       ForceAuthn="true"
       ID="@@ID@@"
       IsPassive="false"
       IssueInstant="@@IssueInstant@@"
       ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       Version="2.0">
       <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer>
   </samlp:AuthnRequest>
   

   

   2.jpeg1186×1024 82.8 KB

2. Alternatively, update the Protocol Binding to blank and use the default template with ProtocolBinding=“@@ProtocolBinding@@” in the Request Template section.

   <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
       ForceAuthn="true"
       ID="@@ID@@"
       IsPassive="false"
       IssueInstant="@@IssueInstant@@"
       ProtocolBinding="@@ProtocolBinding@@"
       Version="2.0">
       <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer>
   </samlp:AuthnRequest>
   

   

   3.jpeg1180×1032 79.3 KB