Overview
This article explains how to resolve the AADSTS750054 error when Auth0 is the SAML service provider, and Microsoft Entra ID is the SAML Identity provider.
The exact error thrown by Entra ID:
Error AADSTS750054 - SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding
Applies To
- Microsoft Entra ID
- SAML
- AADSTS750054
Cause
This error indicates Auth0 is sending the AuthN request in the POST body, which Microsoft Entra ID does not accept.
Solution
There are two options to solve this issue:
-
Keep the Protocol Binding section of the SAML Enterprise connection empty. This ensures the SAML Request from Auth0 is sent as a query parameter. This setting works well with the default request template.
-
Set the Protocol Binding setting to HTTP-Redirect. This ensures the AuthN requests are sent as a query parameter. However, this setting causes the ProtocolBinding field in the AuthN request to change to redirect binding in the default request template, causing another Entra ID error, AADSTS750032. The solution is to force the ProtocolBinding to HTTP-POST. Here is a sample request template setting the protocol binding to HTTP-POST in the AuthN request.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ForceAuthn="true" ID="@@ID@@" IsPassive="false" IssueInstant="@@IssueInstant@@" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer> </samlp:AuthnRequest>