You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/entra/entra-id/app-integration/error-code-aadsts76021-request-not-signed.md
+94-1Lines changed: 94 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,4 +12,97 @@ ms.service: # Add the ms.service or ms.prod value
12
12
ms.topic: # Add the ms.topic value
13
13
ms.date: 01/14/2026
14
14
---
15
-
H1
15
+
# Error AADSTS76021 (ApplicationRequiresSignedRequests) with SAML authentication: The request sent by client is not signed
16
+
17
+
## Overview
18
+
The error **AADSTS76021** occurs during federated authentication with Microsoft Entra ID when using SAML-based Single Sign-On (SSO). This error indicates that the request sent by the client is not signed while the application requires signed requests. Even if the request is signed, the signature might not be placed according to the SAML binding configuration.
19
+
20
+
According to [SAML specifications](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf), two primary and most commonly used binding types exist:
21
+
22
+
-**HTTP-Redirect**[urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect]: For HTTP GET requests, the signature is included as a query parameter in the URL.
23
+
-**HTTP-POST**[urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]: For HTTP POST requests, the signature is embedded within the XML payload of the SAML message.
24
+
25
+
If the application expects the signature in one location but the request uses another binding type, Microsoft Entra ID will reject the request, resulting in **AADSTS76021**.
26
+
27
+
---
28
+
29
+
## Resolution Steps
30
+
1.**Verify SAML Binding Type**
31
+
- Check whether the application expects HTTP-Redirect or HTTP-POST.
32
+
33
+
2.**Ensure Configuration Matches**
34
+
- Confirm that the Identity Provider (IdP) and Service Provider (SP) configurations align.
35
+
36
+
3.**Validate Signature Placement**
37
+
- For HTTP-Redirect: Signature must be in the query string.
38
+
- For HTTP-POST: Signature must be inside the XML `<Signature>` element.
39
+
40
+
4.**Update Application or IdP Configuration**
41
+
- Align binding type and signature placement.
42
+
- In Microsoft Entra ID, confirm SAML settings under **Enterprise Applications > Single Sign-On**.
SAML 2.0 defines several protocol bindings that map SAML request and response message exchanges onto standard communication protocols. These bindings specify rules for message encoding, signature placement, and transport security.
79
+
80
+
### 1. HTTP-Redirect Binding
81
+
-**Description**: Uses HTTP GET requests where SAML messages are transmitted as query parameters.
82
+
-**Use Case**: Common for initiating authentication requests.
83
+
84
+
### 2. HTTP-POST Binding
85
+
-**Description**: Uses HTTP POST requests where SAML messages are embedded in the body as XML.
86
+
-**Use Case**: Common for sending signed assertions securely.
87
+
88
+
### 3. HTTP-Artifact Binding
89
+
-**Description**: Exchanges small artifacts via HTTP, which are later resolved into full SAML messages.
90
+
-**Use Case**: Reduces message size in front-channel communication.
91
+
92
+
### 4. SOAP Binding
93
+
-**Description**: Uses SOAP over HTTP for back-channel communication.
94
+
-**Use Case**: Common for artifact resolution and management operations.
95
+
96
+
### 5. PAOS Binding
97
+
-**Description**: Reverse HTTP binding used for Enhanced Client or Proxy (ECP) profiles.
For a full list of Active Directory Authentication and authorization error codes, see [Microsoft Entra authentication and authorization error codes](/azure/active-directory/develop/reference-aadsts-error-codes).
105
+
106
+
[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
0 commit comments