Share via

How can we determine AssertionConsumerServiceURL value in the SAML request using .Well-known/config-

Ambli Vinay 0 Reputation points
2025-01-15T06:50:28.57+00:00

We have configured application for authentication using Duende Identity service. OpenId authentication using external handlers for Azure ADFS.

While accessing the application, it redirects to Microsoft Authentication login page and then ends up with error as AADSTS50011: The redirect URI 'https://xxx.xxxxx.xture.com/IDS/federation/adfs2' specified in the request does not match the redirect URIs configured for the application 'urn:xxxxapp:exk1hqb21uah7qqsj1d8'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal.

Our implementation works fine with Duende Identity service and .Net 6.0.x hosting libraries .

The above reported issue started appearing for us, after we migrate the duende identity service and .Net 8.0 hosting libraries to

Duende.identity.service 7.0.8.

DynamicProviders., Aspnet.core.8.0

What changes we need to adapt for external handlers to troubleshoot our issue.The

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,898 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 15,396 Reputation points
    2025-01-15T15:06:38.7+00:00

    Hello Ambli Vinay,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to know how you determine AssertionConsumerServiceURL value in the SAML request using well-known/config-.

    To achieve your goal, kindly follow the steps in the following:

    Step 1: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-AADSTS50011-redirect-uri-mismatch

    The error AADSTS50011 arises when the redirect URI sent in the authentication request does not align with the URIs registered in Azure AD. To resolve this, log into the Azure portal and verify that the problematic redirect URI (https://xxx.xxxxx.xture.com/IDS/federation/adfs2) is explicitly registered under the authentication section of your app registration. Make sure that the URI is accurate, without any typos, extra slashes, or case mismatches. In your Duende Identity Server configuration, validate that the callback path matches the registered URI precisely, as shown in the example code below:

    options.CallbackPath = new PathString("/IDS/federation/adfs2");

    Additionally, confirm that any environment-specific configurations, such as in appsettings.json or Azure-specific overrides, are consistent across all deployment environments.

    Step 2:

    After migrating to .NET 8.0 and Duende Identity Service 7.0.8, external authentication handlers may require adjustments due to API changes. Review any usage of external authentication middleware, such as AddOpenIdConnect, and ensure compatibility with updates. For example, new or modified parameters might need to be added in your code. Always review the release notes of both .NET 8.0 and Duende Identity Server for breaking changes that impact authentication logic. This will help your application’s integration with Azure AD remains functional after the upgrade.

    services.AddAuthentication()
    .AddOpenIdConnect("AzureAD", options =>
    {
        options.Authority = "https://login.microsoftonline.com/{tenant-id}";
        options.ClientId = "{client-id}";
        options.CallbackPath = "/IDS/federation/adfs2";
    });

    You can also refer to the [ASP.NET Core Authentication Documentation - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/openid-connect for further details on configuring OpenID Connect handlers.

    Step 3:

    To locate the AssertionConsumerServiceURL for SAML, access the SAML metadata XML file, typically available at a URL like https://xxx.xxxxx.xture.com/IDS/federationmetadata/2007-06/federationmetadata.xml. Open this file and search for the <AssertionConsumerService> or similar element, which specifies the URL that handles SAML assertions. Cross-check this value with the redirect URIs configured in Azure AD to ensure alignment. The SAML metadata endpoint is critical for verifying and troubleshooting issues with SAML-based authentication. https://www.oasis-open.org/standards#samlv2.0

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.