Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is this Azure SAML request error AADSTS7500529?

agrandville
Explorer
‎11-15-2020 08:34 AM

Hi all,

I'm configuring Splunk (Docker image 8.1.0) to make SAML authentication on Azure ADFS.

Despite all looks right, I get this error in response to the Splunk SAML Request

SAMLRequestError.png

 

 

 

 

 

 

 

 

 

'AADSTS7500529: The value '1a480d8dd87f.4.DA3C17FD-8DE5-4E39-8F52-5EF91CD63A51' is not a valid SAML ID. The ID must not begin with a number.'

I guess a problem with the ID's format of <samlp:AuthnRequest>, let me show you the content of my SAML requests

 

 

<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="1a480d8dd87f.3.DA3C17FD-8DE5-4E39-8F52-5EF91CD63A51"

 

 

Whereas Microsoft SAML 2.0 protocol documentation  impose a specific format for it

ID Required Azure AD uses this attribute to populate the InResponseTo attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "id" to the string representation of a GUID. For example, id6c1c178c166d486687be4aaf5e482730 is a valid ID.

 

Do you confirm this is a malfunction ?

Thank's

Arnaud

Labels (2)
Tags (2)
0 Karma
Reply

jorks
New Member
‎04-13-2022 07:53 PM

I just worked my way through this issue. 

The SAML ID is prefixed with the hostname of the docker container. Which in my case was auto-generated starting with a number. When I consoled into my container and ran cat /etc/hostname I could see the mysterious number that was breaking my SAML auth with:

'AADSTS7500529: The value '1a480d8dd87f.4.DA3C17FD-8DE5-4E39-8F52-5EF91CD63A51' is not a valid SAML ID. The ID must not begin with a number.'

Where 1a480d8dd87f was my container hostname.

I re-deployed my docker stack with:

services:
  splunk:
    image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
    container_name: splunk
    hostname: splunk
    ...

And my SAML began to work:

ID="splunk.2.DA3C17FD-8DE5-4E39-8F52-5EF91CD63A51"

Hope this helps someone in the future 🙂 

~ James

Tags (3)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...