Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is this Azure SAML request error AADSTS7500529?

agrandville
Explorer
‎11-15-2020 08:34 AM

Hi all,

I'm configuring Splunk (Docker image 8.1.0) to make SAML authentication on Azure ADFS.

Despite all looks right, I get this error in response to the Splunk SAML Request

SAMLRequestError.png

 

 

 

 

 

 

 

 

 

'AADSTS7500529: The value '1a480d8dd87f.4.DA3C17FD-8DE5-4E39-8F52-5EF91CD63A51' is not a valid SAML ID. The ID must not begin with a number.'

I guess a problem with the ID's format of <samlp:AuthnRequest>, let me show you the content of my SAML requests

 

 

<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="1a480d8dd87f.3.DA3C17FD-8DE5-4E39-8F52-5EF91CD63A51"

 

 

Whereas Microsoft SAML 2.0 protocol documentation  impose a specific format for it

ID Required Azure AD uses this attribute to populate the InResponseTo attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "id" to the string representation of a GUID. For example, id6c1c178c166d486687be4aaf5e482730 is a valid ID.

 

Do you confirm this is a malfunction ?

Thank's

Arnaud

Labels (2)
Tags (2)
0 Karma
Reply

jorks
New Member
‎04-13-2022 07:53 PM

I just worked my way through this issue. 

The SAML ID is prefixed with the hostname of the docker container. Which in my case was auto-generated starting with a number. When I consoled into my container and ran cat /etc/hostname I could see the mysterious number that was breaking my SAML auth with:

'AADSTS7500529: The value '1a480d8dd87f.4.DA3C17FD-8DE5-4E39-8F52-5EF91CD63A51' is not a valid SAML ID. The ID must not begin with a number.'

Where 1a480d8dd87f was my container hostname.

I re-deployed my docker stack with:

services:
  splunk:
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    container_name: splunk
    hostname: splunk
    ...

And my SAML began to work:

ID="splunk.2.DA3C17FD-8DE5-4E39-8F52-5EF91CD63A51"

Hope this helps someone in the future 🙂 

~ James

Tags (3)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...