|
| 1 | +--- |
| 2 | +title: "Error AADSTS76021 (ApplicationRequiresSignedRequests) in SAML authentication: The request sent by client is not signed" |
| 3 | +description: Discusses a problem in which a user receives error AADSTS76021 when trying to sign in. |
| 4 | +ms.author: jarrettr |
| 5 | +author: JarrettRenshaw |
| 6 | +ms.topic: troubleshooting |
| 7 | +ms.service: entra-id |
| 8 | +ms.date: 01/14/2026 |
| 9 | +ms.custom: sap:Issues Signing In to Applications |
| 10 | +--- |
| 11 | +# "The request sent by client is not signed" error AADSTS76021 in SAML authentication |
| 12 | + |
| 13 | +## Summary |
| 14 | + |
| 15 | +The **AADSTS76021** (ApplicationRequiresSignedRequests) error occurs during federated authentication by using Microsoft Entra ID when you use SAML-based single sign-on (SSO). This error indicates that the client didn't sign the request, but the application requires signed requests. Even if the client signs the request, the signature might not be added according to the SAML binding configuration. |
| 16 | + |
| 17 | +According to the [SAML specifications](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf), the two primary and most commonly used binding types are: |
| 18 | + |
| 19 | +- **HTTP-Redirect** [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]: For HTTP get method (GET) requests, the signature is included as a query parameter in the URL. |
| 20 | +- **HTTP-POST** [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]: For HTTP POST requests, the signature is embedded within the XML payload of the SAML message. |
| 21 | + |
| 22 | +If the application expects the signature in one location but the request uses another binding type, Microsoft Entra ID rejects the request. This rejection causes the **AADSTS76021** error. |
| 23 | + |
| 24 | +## Resolution |
| 25 | + |
| 26 | +1. **Verify SAML binding type** |
| 27 | + |
| 28 | +Check whether the application expects HTTP-Redirect or HTTP-POST. |
| 29 | + |
| 30 | +2. **Verify configuration matches** |
| 31 | + |
| 32 | +Verify that the Identity Provider (IdP) and Service Provider (SP) configurations align. |
| 33 | + |
| 34 | +3. **Verify signature placement** |
| 35 | + |
| 36 | +- For HTTP-Redirect: The signature must be in the query string. |
| 37 | +- For HTTP-POST: The signature must be inside the XML `<Signature>` element. |
| 38 | + |
| 39 | +4. **Update application or IdP configuration** |
| 40 | + |
| 41 | +- Align binding type and signature placement. |
| 42 | +- In Microsoft Entra ID, verify the SAML settings under **Enterprise Applications** > **Single Sign-On**. |
| 43 | + |
| 44 | +## Examples |
| 45 | + |
| 46 | +### Example 1: HTTP-Redirect binding (GET) |
| 47 | + |
| 48 | +The signed request includes query parameters such as the following example: |
| 49 | + |
| 50 | +``` |
| 51 | +https://contoso.com? |
| 52 | +SAMLRequest=<Base64EncodedRequest>&RelayState=<StateValue>&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha256&Signature=<Base64Signature> |
| 53 | +``` |
| 54 | + |
| 55 | +### Example 2: HTTP-POST binding (POST) |
| 56 | + |
| 57 | +The signed request includes a signature inside the XML, such as in the following example: |
| 58 | + |
| 59 | +```xml |
| 60 | +<samlp:AuthnRequest> |
| 61 | + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
| 62 | + <ds:SignedInfo> |
| 63 | + <!-- Canonicalization and signature details --> |
| 64 | + </ds:SignedInfo> |
| 65 | + <ds:SignatureValue>Base64SignatureValue</ds:SignatureValue> |
| 66 | + <ds:KeyInfo> |
| 67 | + <ds:X509Data> |
| 68 | + <ds:X509Certificate>...</ds:X509Certificate> |
| 69 | + </ds:X509Data> |
| 70 | + </ds:KeyInfo> |
| 71 | + </ds:Signature> |
| 72 | +</samlp:AuthnRequest> |
| 73 | +``` |
| 74 | + |
| 75 | +### SAML 2.0 bindings |
| 76 | + |
| 77 | +SAML 2.0 defines several protocol bindings that map SAML request and response message exchanges onto standard communication protocols. These bindings specify rules for message encoding, signature placement, and transport security. |
| 78 | + |
| 79 | +#### HTTP-Redirect binding |
| 80 | + |
| 81 | +- **Description**: Uses HTTP GET requests in which SAML messages are transmitted as query parameters. |
| 82 | +- **Use case**: Common for initiating authentication requests. |
| 83 | + |
| 84 | +#### HTTP-POST binding |
| 85 | + |
| 86 | +- **Description**: Uses HTTP POST requests in which SAML messages are embedded in the body as XML. |
| 87 | +- **Use case**: Common for sending signed assertions securely. |
| 88 | + |
| 89 | +#### HTTP-Artifact binding |
| 90 | + |
| 91 | +- **Description**: Exchanges small artifacts through HTTP. The artifacts are later resolved into full SAML messages. |
| 92 | +- **Use case**: Reduces message size in front-channel communication. |
| 93 | + |
| 94 | +#### Simple Object Access Protocol (SOAP) binding |
| 95 | + |
| 96 | +- **Description**: Uses SOAP over HTTP for back-channel communication. |
| 97 | +- **Use case**: Common for artifact resolution and management operations. |
| 98 | + |
| 99 | +#### Reverse SOAP (PAOS) binding |
| 100 | + |
| 101 | +- **Description**: Reverse HTTP binding that's used for Enhanced Client or Proxy (ECP) profiles. |
| 102 | +- **Use case**: Enables advanced client interactions. |
| 103 | + |
| 104 | +[SAML Bindings Specification](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) |
| 105 | + |
| 106 | +## Resources |
| 107 | + |
| 108 | +For a full list of Active Directory authentication and authorization error codes, see [Microsoft Entra authentication and authorization error codes](/azure/active-directory/develop/reference-aadsts-error-codes). |
0 commit comments