Share via

AWS workspace pool error: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding

Moshe Reubinoff 0 Reputation points
2024-09-14T11:33:18.4533333+00:00

trying to configure AWS workspace pool with directory pool to Azure Entra ID.
I added the enterprise application "AWS Single-Account" and setup the AWS directory to user login URL.
from the test page in Azure I managed to login with the SSO.
but from the AWS workspace I failed due to:
SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding

any thoughts how to fix it?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,457 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,450 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 5,580 Reputation points Microsoft Vendor
    2024-09-19T20:18:29.9066667+00:00

    Hello @Moshe Reubinoff,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, it seems you configured the AWS Single-Account gallery application in Azure through Enterprise Applications, and you can access the app from the Azure portal. However, when attempting to access it from the AWS workspace, it fails with an error message: "AADSTS750054 — SAMLRequest or SAMLResponse must be present as query string parameters in the HTTP request for SAML Redirect binding" during SAML Single Sign-On.

    The error happens when Entra ID wasn’t able to identify the SAML request within the URL parameters in the HTTP request. This can happen if the application is not using HTTP redirect binding when sending the SAML request to Azure AD.

    Below is a diagram of SAML SSO.

    User's image

    Azure single sign-on SAML protocol — Microsoft Entra | Microsoft Docs

    If SAML SSO is started from step 1, it is called SP-initiated SAML SSO as SAML SSO is initiated by Application (Service Provider). If a user goes to IdP first, IdP will initiate SAML SSO from step 4 (Technically, IdP will send SAML Request itself.)

    Step 1, a user goes to the Application (Service Provider).

    Step 2, Application finds the Identity Provider (IdP) based on the URL or domain of the user (Home realm discovery).

    From step 3, Application (Service Provider) generates SAML Request and redirect the user’s browser to Azure AD SAML single sign-on URL (https://login.microsoftonline.com/<TenantID>/saml2). However, somehow the application doesn’t send SAML Request in the header, Entra ID throws AADSTS750054 error because Entra ID is not able to proceed SAML SSO.

    The solution is that the Application (Service Provider), usually an application vendor, send SAML Request in the header.

    Once the Application (Service Provider) sends AML Request in the header, Entra ID will proceed the next step of SAML SSO.

    Please refer the below document more information on this issue.

    Error AADSTS750054 - SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.