Overview
This article explains how to resolve the AADSTS750032 error when Auth0 is the SAML service provider and Microsoft Entra ID is the SAML Identity provider.
The exact error thrown by Entra ID:
AADSTS750032: SAML protocol response cannot be sent via bindings other than HTTP POST. Requested binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Applies To
- Microsoft Entra ID
- SAML
- AADSTS750032
Cause
This error indicates that the SAML service provider (Auth0) in the AuthN request asks Microsoft Entra ID to return the SAML response as a query parameter.
Microsoft Entra ID only supports sending SAML responses in the post-body payload, so it expects that if the ProtocolBinding is sent in the AuthN payload, it has to be set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
In the following use case, Auth0 sends ProtocolBinding set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect in the AuthN request, which can cause the error.
- In the request template in the SAML enterprise connection, an overwrite was set for the ProtocolBinding to be HTTP-Redirect, E.g.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ForceAuthn="true" ID="@@ID@@" IsPassive="false" IssueInstant="@@IssueInstant@@" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer> </samlp:AuthnRequest>
- The Protocol Binding option of the SAML enterprise connection was set to HTTP-Redirect, and the Request Template has the default template where ProtocolBinding was set to @@ProtocolBinding@@
Solution
-
If the connection’s Protocol Binding option has to be set to HTTP-Redirect, in the Request Template, set the ProtocolBinding to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ForceAuthn="true" ID="@@ID@@" IsPassive="false" IssueInstant="@@IssueInstant@@" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer> </samlp:AuthnRequest>
-
Alternatively, update the Protocol Binding to blank and use the default template with ProtocolBinding=“@@ProtocolBinding@@” in the Request Template section.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ForceAuthn="true" ID="@@ID@@" IsPassive="false" IssueInstant="@@IssueInstant@@" ProtocolBinding="@@ProtocolBinding@@" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer> </samlp:AuthnRequest>