update the article

genlin · genlin · commit 42c5dc986de1 · 2025-04-17T14:14:26.000+08:00
diff --git a/support/entra/entra-id/app-integration/error-code-aadsts7500514-supported-type-saml-response-not-found.md b/support/entra/entra-id/app-integration/error-code-aadsts7500514-supported-type-saml-response-not-found.md
@@ -1,6 +1,6 @@
 ---
 title: AADSTS7500514 - A supported type of SAML response was not found with PingFederate 
-description: Describes an error code `AADSTS7500514` that's returned if a federated account try to authenticate with Microsoft Entra ID.
+description: Describes an error code `AADSTS7500514` that's returned if a federated account tries to authenticate with Microsoft Entra ID.
 ms.date: 04/17/2025
 ms.author: bachoang
 ms.service: entra-id
@@ -10,11 +10,11 @@ keywords: AADSTS50020
 
 # AADSTS7500514 - A supported type of SAML response was not found with PingFederate
 
-This article helps you troubleshoot error code `AADSTS7500514` that's returned if a PingFederate federated account try to authenticate with Microsoft Entra ID (formerly Azure Active Directory).
+This article helps you troubleshoot error code `AADSTS7500514` that's returned if a PingFederate federated account tries to authenticate with Microsoft Entra ID (formerly Azure Active Directory).
 
 ## Symptoms
 
-When a federated account tries to authenticate with an Microsoft Authentication Library (MSAL) or Active Directory Authentication Library (ADAL) based application, the sign-in fails. The following error message is displayed:
+When a federated account tries to authenticate with Microsoft Entra ID from a Microsoft Authentication Library (MSAL) or Active Directory Authentication Library (ADAL) based application, the sign-in fails. The following error message is displayed:
 
 ```output
 {
@@ -27,22 +27,22 @@ When a federated account tries to authenticate with an Microsoft Authentication
 
 The error typically occurs in the following environment:
 
-- A federated account that uses [PingFederate](https://www.pingidentity.com/software/pingfederate.html) as the identity provider is used for authentication.  
+- A federated account that uses [PingFederate](https://www.pingidentity.com/software/pingfederate.html) as the identity provider.  
 - The identity provider is configured to issue a SAML 1.1 token by using the WS-Trust protocol.
 - The application uses one of the following APIs for authentication:
-    - MSAL `AcquireTokenByUserNamePassword` method  
-    - ADAL `AcquireToken`(string resource, string clientId, UserCredential userCredential) method  
+    - MSAL `AcquireTokenByUserNamePassword` method.  
+    - ADAL `AcquireToken`(string resource, string clientId, UserCredential userCredential) method.  
     - Any PowerShell module that uses the MSAL or ADAL methods listed earlier.
 
 ## Cause
 
-Since [ADAL has been deprecated](/entra/identity/monitoring-health/recommendation-migrate-from-adal-to-msal), this article focus on the MSAL.
+Since [ADAL has been deprecated](/entra/identity/monitoring-health/recommendation-migrate-from-adal-to-msal), this article focuses on the MSAL.
 
 This issue occurs if the SAML response from PingFederate does not contain the SAML version or uses a format that MSAL cannot recognize. This typically results from a misconfiguration on the PingFederate side for Microsoft Entra ID.
 
-### How the issue occurs
+### Root cause analysis: SAML token version detection
 
-When authenticating a federated account, MSAL determines whether the account is managed account or federated account.
+When authenticating a federated account, MSAL determines whether the account is a managed account or a federated account.
 
 For managed accounts, MSAL uses the [Resource Owner Password Credentials grant flow](/entra/identity-platform/v2-oauth-ropc). For federated accounts, it uses the [SAML Assertion Grant flow](/azure/active-directory/develop/v2-saml-bearer-assertion) for authentication.
 
@@ -56,7 +56,7 @@ The issue typically occurs in step 1, where the client application needs to pars
 - `<saml:Assertion>` node  
 - `<TokenType>` node
 
-The following is an example AD FS  SAML response from the `usernamemixed` endpoint:
+The following is an example AD FS  SAML response from the `/UserNameMixed` endpoint:
 
 - **SAML Assertion**: major version = 1, minor version = 1  
 - **TokenType**: `urn:oasis:names:tc:SAML:1.0:assertion`
@@ -65,32 +65,32 @@ The following is an example AD FS  SAML response from the `usernamemixed` endpoi
 
 Example of PingFederate SAML response (SAML Assertion Grant flow step 1):
 
-:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response.png" alt-text="AScreenshot of PingFederate SAML Response" lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response.png":::
+:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response.png" alt-text="A screenshot of PingFederate SAML Response for SAML Assertion Grant flow step 1" lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response.png":::
 
-After you compare these two response, you will found PingFederate returns a different TokenType value: `http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1` for the same SAML 1.1 token. However, MSAL does not support any TokenType value other than `urn:oasis:names:tc:SAML:1.0:assertion`.
+After you compare these two responses, you will find PingFederate returns a different TokenType value: `http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1` for the same SAML 1.1 token. However, MSAL does not support any TokenType value other than `urn:oasis:names:tc:SAML:1.0:assertion`.
 
 When the identity provider returns a different or unexpected value in the SAML response, MSAL may incorrectly interpret the token as SAML 2.0. As a result, it uses the corresponding `grant_type` value during step 2 of the SAML Assertion Grant flow.
 
-Example of the request sent from MASL application with PingFederate (SAML Assertion Grant flow step 2):
+Example of the request sent from MSAL application with PingFederate (SAML Assertion Grant flow step 2):
 
-:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-2.png" alt-text="AScreenshot of PingFederate SAML Response" lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-2.png":::
+:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-2.png" alt-text="A screenshot of request sent from MSAL application with PingFederate in SAML Assertion Grant flow step 2." lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-2.png":::
 
-Example of the request sent from MASL application with AD FS :
+Example of the request sent from MSAL application with AD FS :
 
-:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-3.png" alt-text="AScreenshot of PingFederate SAML Response" lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-3.png":::
+:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-3.png" alt-text="A screenshot of request sent from MSAL application with AD FS in SAML Assertion Grant flow step 2." lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-3.png":::
 
 In this step, the value of the `grant_type` parameter must align with the actual version of the SAML token. The following values are used:
 
-- `urn:ietf:params:oauth:grant-type:saml2-bearer` – for SAML 2.0 tokens  
-- `urn:ietf:params:oauth:grant-type:saml1_1-bearer` – for SAML 1.1 tokens  
+- urn:ietf:params:oauth:grant-type:saml2-bearer - for SAML 2.0 tokens
+- urn:ietf:params:oauth:grant-type:saml1_1-bearer - for SAML 1.1 tokens
 
-In the case of a PingFederate account, MSAL uses the incorrect `grant_type` based on its misinterpretation of the SAML version. This results in a version mismatch between the `grant_type` parameter and the SAML token included in the assertion that causes the authentication error.
+In the case of a PingFederate account, MSAL uses the `saml2-bearer` as the `grant_type` based on its misinterpretation of the SAML version. This results in a version mismatch between the `grant_type` parameter and the SAML token included in the assertion that causes the authentication error.
 
-## SOlution
+## Solution
 
-To resolve this issue, ensure that PingFederate is configured to align with Microsoft Entra ID requirements. Follow the steps below:
+To resolve this issue, ensure that PingFederate is configured to align with Microsoft Entra ID requirements. For step-by-step instructions, review the following articles.
 
-- [Creating a connection to Microsoft Entra ID](https://docs.pingidentity.com/integrations/azure/azure_ad_and_office_365_integration_guide/pf_azuread_office365_integration_creating_a_connection_to_azure_active_directory.html)
+- [Creating a connection to Microsoft Entra ID](https://docs.pingidentity.com/integrations/azure/azure_ad_and_office_365_integration_guide/pf_azuread_office365_integration_creating_a_connection_to_azure_active_directory.html).
 
     During Microsoft Entra ID connection setup, pay special attention to the following settings:
 
@@ -103,9 +103,6 @@ To resolve this issue, ensure that PingFederate is configured to align with Micr
 
 - [Configuring WS-Trust STS](https://docs.pingidentity.com/integrations/azure/azure_ad_and_office_365_integration_guide/pf_azuread_office365_integration_configuring_ws_trust_sts.html)
 
-    During Configuring WS-Trust STS, select **SAML 1.1 for Office 365** as the Default Token Type.
+    When you configure WS-Trust STS, make sure that you select **SAML 1.1 for Office 365** as the Default Token Type.
 
-    
-## Clean up resources
-
-After resolving the issue, test the changes in your environment to ensure that the error no longer occurs when using MSAL or ADAL for authentication. Make any necessary adjustments to your application's authentication logic as needed.
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
