|
| 1 | +--- |
| 2 | +title: AADSTS7500514 - A supported type of SAML response was not found with PingFederate |
| 3 | +description: Describes an error code `AADSTS7500514` that's returned if a federated account try to authenticate with Microsoft Entra ID. |
| 4 | +ms.date: 04/17/2025 |
| 5 | +ms.author: bachoang |
| 6 | +ms.service: entra-id |
| 7 | +ms.custom: sap:Issues Signing In to Applications, has-azure-ad-ps-ref |
| 8 | +keywords: AADSTS50020 |
| 9 | +--- |
| 10 | + |
| 11 | +# AADSTS7500514 - A supported type of SAML response was not found with PingFederate |
| 12 | + |
| 13 | +This article helps you troubleshoot error code `AADSTS7500514` that's returned if a PingFederate federated account try to authenticate with Microsoft Entra ID (formerly Azure Active Directory). |
| 14 | + |
| 15 | +## Symptoms |
| 16 | + |
| 17 | +When a federated account tries to authenticate with an Microsoft Authentication Library (MSAL) or Active Directory Authentication Library (ADAL) based application, the sign-in fails. The following error message is displayed: |
| 18 | + |
| 19 | +```output |
| 20 | +{ |
| 21 | + error: "invalid_request", |
| 22 | + error_description: "AADSTS7500514: A supported type of SAML response was not found. The supported response types are 'Response' (in XML namespace 'urn:oasis:names:tc:SAML:2.0:protocol') or 'Assertion' (in XML namespace 'urn:oasis:names:tc:SAML:2.0:assertion'). |
| 23 | + .... |
| 24 | + error_uri: "https://login.microsoftonline.com/error?code=7500514" |
| 25 | +} |
| 26 | +``` |
| 27 | + |
| 28 | +The error typically occurs in the following environment: |
| 29 | + |
| 30 | +- A federated account that uses [PingFederate](https://www.pingidentity.com/software/pingfederate.html) as the identity provider is used for authentication. |
| 31 | +- The identity provider is configured to issue a SAML 1.1 token by using the WS-Trust protocol. |
| 32 | +- The application uses one of the following APIs for authentication: |
| 33 | + - MSAL `AcquireTokenByUserNamePassword` method |
| 34 | + - ADAL `AcquireToken`(string resource, string clientId, UserCredential userCredential) method |
| 35 | + - Any PowerShell module that uses the MSAL or ADAL methods listed earlier. |
| 36 | + |
| 37 | +## Cause |
| 38 | + |
| 39 | +Since [ADAL has been deprecated](/entra/identity/monitoring-health/recommendation-migrate-from-adal-to-msal), this article focus on the MSAL. |
| 40 | + |
| 41 | +This issue occurs if the SAML response from PingFederate does not contain the SAML version or uses a format that MSAL cannot recognize. This typically results from a misconfiguration on the PingFederate side for Microsoft Entra ID. |
| 42 | + |
| 43 | +### How the issue occurs |
| 44 | + |
| 45 | +When authenticating a federated account, MSAL determines whether the account is managed account or federated account. |
| 46 | + |
| 47 | +For managed accounts, MSAL uses the [Resource Owner Password Credentials grant flow](/entra/identity-platform/v2-oauth-ropc). For federated accounts, it uses the [SAML Assertion Grant flow](/azure/active-directory/develop/v2-saml-bearer-assertion) for authentication. |
| 48 | + |
| 49 | +There are two steps involved in the SAML Assertion Grant flow: |
| 50 | + |
| 51 | +1. The client application authenticates to the federated identity provider to obtain a SAML token. |
| 52 | +2. The client then uses the obtained SAML token to get an OAuth 2.0 JWT token from Microsoft Entra ID. |
| 53 | + |
| 54 | +The issue typically occurs in step 1, where the client application needs to parse the SAML response from the identity provider to determine the SAML version. MSAL looks for the following attribute values in the identity provider's SAML response to determine the version of the SAML token: |
| 55 | + |
| 56 | +- `<saml:Assertion>` node |
| 57 | +- `<TokenType>` node |
| 58 | + |
| 59 | +The following is an example AD FS SAML response from the `usernamemixed` endpoint: |
| 60 | + |
| 61 | +- **SAML Assertion**: major version = 1, minor version = 1 |
| 62 | +- **TokenType**: `urn:oasis:names:tc:SAML:1.0:assertion` |
| 63 | + |
| 64 | +:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/adfs-saml-response.png" alt-text="Screenshot of ADFS SAML Response." lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/adfs-saml-response.png"::: |
| 65 | + |
| 66 | +Example of PingFederate SAML response (SAML Assertion Grant flow step 1): |
| 67 | + |
| 68 | +:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response.png" alt-text="AScreenshot of PingFederate SAML Response" lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response.png"::: |
| 69 | + |
| 70 | +After you compare these two response, you will found PingFederate returns a different TokenType value: `http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1` for the same SAML 1.1 token. However, MSAL does not support any TokenType value other than `urn:oasis:names:tc:SAML:1.0:assertion`. |
| 71 | + |
| 72 | +When the identity provider returns a different or unexpected value in the SAML response, MSAL may incorrectly interpret the token as SAML 2.0. As a result, it uses the corresponding `grant_type` value during step 2 of the SAML Assertion Grant flow. |
| 73 | + |
| 74 | +Example of the request sent from MASL application with PingFederate (SAML Assertion Grant flow step 2): |
| 75 | + |
| 76 | +:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-2.png" alt-text="AScreenshot of PingFederate SAML Response" lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-2.png"::: |
| 77 | + |
| 78 | +Example of the request sent from MASL application with AD FS : |
| 79 | + |
| 80 | +:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-3.png" alt-text="AScreenshot of PingFederate SAML Response" lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-3.png"::: |
| 81 | + |
| 82 | +In this step, the value of the `grant_type` parameter must align with the actual version of the SAML token. The following values are used: |
| 83 | + |
| 84 | +- `urn:ietf:params:oauth:grant-type:saml2-bearer` – for SAML 2.0 tokens |
| 85 | +- `urn:ietf:params:oauth:grant-type:saml1_1-bearer` – for SAML 1.1 tokens |
| 86 | + |
| 87 | +In the case of a PingFederate account, MSAL uses the incorrect `grant_type` based on its misinterpretation of the SAML version. This results in a version mismatch between the `grant_type` parameter and the SAML token included in the assertion that causes the authentication error. |
| 88 | + |
| 89 | +## SOlution |
| 90 | + |
| 91 | +To resolve this issue, ensure that PingFederate is configured to align with Microsoft Entra ID requirements. Follow the steps below: |
| 92 | + |
| 93 | +- [Creating a connection to Microsoft Entra ID](https://docs.pingidentity.com/integrations/azure/azure_ad_and_office_365_integration_guide/pf_azuread_office365_integration_creating_a_connection_to_azure_active_directory.html) |
| 94 | + |
| 95 | + During Microsoft Entra ID connection setup, pay special attention to the following settings: |
| 96 | + |
| 97 | + 1. Configure the connection protocols. |
| 98 | + 2. On the **Connection Template** tab, select **Do not use a template for this connection**. Click **Next**. |
| 99 | + 3. On the **Connection Type** tab select **Browser SSO Profiles**. |
| 100 | + 4. In the Protocol list, select WS-Federation. |
| 101 | + 5. In the **WS-Federation Token Type list**, select **SAML 1.1**. |
| 102 | + 6. If you want to support active federation, select the **WS-Trust STS** check box. |
| 103 | + |
| 104 | +- [Configuring WS-Trust STS](https://docs.pingidentity.com/integrations/azure/azure_ad_and_office_365_integration_guide/pf_azuread_office365_integration_configuring_ws_trust_sts.html) |
| 105 | + |
| 106 | + During Configuring WS-Trust STS, select **SAML 1.1 for Office 365** as the Default Token Type. |
| 107 | + |
| 108 | + |
| 109 | +## Clean up resources |
| 110 | + |
| 111 | +After resolving the issue, test the changes in your environment to ensure that the error no longer occurs when using MSAL or ADAL for authentication. Make any necessary adjustments to your application's authentication logic as needed. |
0 commit comments