Can I send Saml2AuthnRequest without subject property? 'Subject' is not supported by Azure AD

Question

The Saml2 Authn Request include a subject property which apparently azure does not like. Is there a way of modifying the request xml to not include the subject property or any other work around?

I am getting the following error:

AADSTS900236: The SAML authentication request property 'Subject' is not supported and must not be set.

This is what it says from Microsoft docs

Subject
Don't include a Subject element. Azure AD doesn't support specifying a subject in AuthnRequest and will return an error if one is provided.

A subject can instead be provided by adding a login_hint parameter to the HTTP request to the single sign-on URL, with the subject's NameID as the parameter value.

https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#subject

score 3 · Accepted Answer · answered Sep 01 '22 at 07:27

3

You can just leave the Subject property empty in the Saml2AuthnRequest. Then the Subject property is not send.

In the TestWebAppCore sample AuthController.cs you would remove this line:

Subject = new Subject { NameID = new NameID { ID = "abcd" } },

answered Sep 01 '22 at 07:27

Anders Revsgaard

3,636
1
9
25

Can I send Saml2AuthnRequest without subject property? 'Subject' is not supported by Azure AD

1 Answers1