AssertionConsumerServiceIndex cannot be set when ProtocolBinding or AssertionConsumerServiceUrl are set

Question

Hello all

I am attempting to configure SAML SSO with Signal Sciences. Their documentation for this resides here: https://docs.fastly.com/en/ngwaf/setting-up-single-sign-on-sso

Within Entra ID, I have configured the app, supplying the following:
Identifier (Entity ID): https://dashboard.signalsciences.net/
Reply URL (Assertion Consumer Service URL): https://dashboard.signalsciences.net/saml

I have pulled the base64 certificate from section 3, and uploaded it to Signal Sciences.

Under verification certificates, I have uploaded the certificate provided by Signal Sciences when selecting "Sign Authn Requests." The "require verification" option is not currently checked.

When testing SSO, I get the following message:

Screencap of my Signal Sciences SAML configuration:

Thank you for any help you can offer!

Dave

Answer 1

Hi @Dave M ,

Thank you for posting your query on Microsoft Q&A.

Based on your query, I understand that you would like to set up SAML SSO with Signal Sciences and found the error of AADSTS900237.

Azure SAML SSO has AuthNrequests which works with Assertion Consumer Service URL which must match redirect_uri which present in SAML request. This is a default configuration from SAML SSO and works Assertion Consumer Service URL. Once you configure this value it will ignore all the other attributes in Authnrequest.

You can only configure Assertion Consumer Service URL when you are trying to access the application IDP initiated flow. If you would like to use the "AssertionConsumerServiceIndex", you may need to configure SP initiated flow. Entra ID responds back to the URL that has corresponding index.

If you would like to have IDP initiated flow, kindly use Assertion Consumer Service URL and perform the SSO. If you would like to work AssertionConsumerServiceIndex you may need to check with application on adding this to the request.

Additional information:

Here is the document which helps you in understanding the SAML Authnrequest: Single sign-on SAML protocol

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

Answer 2

Hi @Dave M ,

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: AssertionConsumerServiceIndex cannot be set when ProtocolBinding or AssertionConsumerServiceUrl are set

Solution: Resolved by @Dave M ,

"Signal Science (Application team) was able to resolve the issue."

More details here:

Single sign-on SAML protocol

If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.