The SAML authentication request property 'Subject' is not supported and must not be set

lihua.zhang · April 11, 2023, 6:04pm

Problem statement

When passing the Subject claim in an AuthnRequest to Azure AD, it gives the following error:
AADSTS900236: The SAML authentication request property ‘Subject’ is not supported and must not be set.

Symptoms

Auth0: SAML SP
Azure AD: SAML IdP
This can happen when the app passes a login_hint to Auth0 and the SAML connection’s request template has a Subject tag along with @@LoginHint@@ to pass that along to the upstream IdP.

Cause

Azure AD does not support the Subject claim in the AuthnRequest as documented here:

Solution

Please remove the Subject tag from the SAML request template since Azure AD does not support sending this. And due to this, we cannot pass login_hint to Azure using a SAML connection.

Topic		Replies	Views
Login_hint is not working for Microsoft Azure - SAML connection Help connections , login-experience , saml-enterprise-connection	2	2568	October 27, 2023
Passing login_hint to Microsoft Entra ID (Azure AD) when using SAML Knowledge Articles oidc-conformant , azure-ad , saml2	1	1689	December 13, 2023
Forward login hint to Microsoft Entra ID with SAML Connection Help connections , saml-enterprise-connection	0	379	June 12, 2024
Potential non-conformance with SAML's AudienceRestriction Help saml	3	3570	August 30, 2019
Pass login_hint to SAML provider Knowledge Articles saml , login , idp , service-provider , hint	1	4518	October 17, 2022

The SAML authentication request property 'Subject' is not supported and must not be set

Problem statement

Symptoms

Cause

Solution

Related Topics