SimpleSamlPHP and Azure AD integration. Stuck in AADSTS50011 error

Question

I can't seem to get past this error. I am able to login into Microsoft, but after, that error shows up. I have tried all set these reply URL's inside Azure, but still nothing:

• https://sso.xxxx.com/simplesaml/module.php/saml/sp/metadata.php/default-sp
• https://sso.xxxx.com/simplesaml/module.php/saml/sp/metadata.php/default-sp/module.php/saml/sp/metadata.php/default-sp
• https://sso.xxxx.com/simplesaml
• https://sso.xxxx.com/

This is my simplesaml config file:

'baseurlpath' => 'https://sso.xxxx.com/simplesaml',

Here is my Authsource:

'default-sp' => [
    'saml:SP',
    'entityID' => 'xxxxxx-4521-4587-9b30-xxxxxxxxxxxx',
    'idp' => 'https://sts.windows.net/xxxxxx-f963-4bc4-98a8-xxxxxxxxxxxx/',
    'discoURL' => null,
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
    'simplesaml.nameidattribute' => 'eduPersonTargetedID',

Am I missing something in the config? I test it via SimpleSamlPHP Test authentication sources:

https://sso.xxxx.com/simplesaml/module.php/core/authenticate.php?as=default-sp

and also via sourcecode in another website:

https://www.xxxx.com/nxsso/login

Answer 1

This issue will occur when the redicrect_uri doesn't match the redirect uri in Azure portal.

You can use the fiddler to capture the auth request url, you will find the redirect_uri in the authorize endpoint. Then use this one in Azure portal.

The auth request url is something like

https://login.microsoftonline.com/{tenant}/oauth2/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%3A12345 &response_mode=query &resource=https%3A%2F%2Fservice.contoso.com%2F &state=12345

You will find the real redirect_uri.

Update: You should be able to find the request url before enter your username.