Azure-docs: Login Redirect URL is incorrect (cannot be https://login.microsoftonline.com/{tenant-id}/saml2)
In the Workday Redirection URLs section, this page says the following:
"In the Login Redirect URL, Timeout Redirect URL and Mobile Redirect URL textbox, paste the Login URL which you have copied from the Set up Workday section of Azure portal."
The "Login URL which you have copied from the ... Azure portal" is https://login.microsoftonline.com/{tenant-id}/saml2. However, this is the login/logout SAML endpoint for Azure AD.
Configuring the Login Redirect URL with this URL leads to the error "AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding." Screenshot: https://i.imgur.com/JXT2Pm2.png
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 18eabd03-e535-e846-e4ad-c4394f581013
- Version Independent ID: 1d98ce13-5bb7-9cb8-c2b7-3c711a7e03e1
- Content: Tutorial: Azure Active Directory integration with Workday
- Content Source: articles/active-directory/saas-apps/workday-tutorial.md
- Service: active-directory
- Sub-service: saas-app-tutorial
- GitHub Login: @jeevansd
- Microsoft Alias: jeedes
cap273
All 24 comments
@cap273 Thanks for your feedback! We will investigate and update as appropriate.
FrankHu-MSFT
on 12 Jun 2019
Having the same error, when integrating workday with Azure AD, Is there any solution for this error ?
kulbirjandoria
on 22 Jul 2019
Is there any update on it?
kulbirjandoria
on 24 Jul 2019
I am having this issue as well, please update with the correct URL to use in the Workday IdP SSO Service URL textbox.
pbburkhalter
on 30 Jul 2019
@kulbirjandoria and @pbburkhalter I will provide the screenshot for your reference.
jeevansd
on 30 Jul 2019
Do you have a timeline for when you will provide the screenshot?
pbburkhalter
on 30 Jul 2019
You shoudl configure it in this way.
jeevansd
on 30 Jul 2019
I am pretty sure that's wrong. What you provided is basically what I am already using, except my tenant ID is obviously different than whatever you have in your link. Can you please double check?
pbburkhalter
on 30 Jul 2019
@jeevansd the link that you posted is the exact same format as what is currently wrong in the documentation. You closed my other ticket and I'm happy to open a ticket with you guys but the documentation is wrong regardless.
pbburkhalter
on 31 Jul 2019
In Azure, under Basic SAML Configuration using an identifier as http://www.workday.com , resolves the problem. So please correct this documentation.
This was confirmed by workday support team, Please find the response from Workday Support team as below:
"Invalid Audience in SAML token: URL should start with http://www.workday.com, or end with /tenantname/login-saml.htmld
Your 'Audience' in Azure should match your "Service Provided ID" on the Workday side. It looks like both match but should be "http" instead of "https". I see Azure's documentation calls for "https", which is incorrect but their screenshot has the correct formatting of "http". Can you please update that in your "Edit Tenant Setup - Security", as well as in your Azure setup and try logging in again? "
kulbirjandoria
on 31 Jul 2019
@v-viinde and @v-nagta Can you please correct the Identifier value in this doc as stated above? I think this got changed in some other updates.
jeevansd
on 1 Aug 2019
@kulbirjandoria This is also incorrect. That is a problem in the documentation but not what this original issue was opened for.
pbburkhalter
on 1 Aug 2019
@pbburkhalter What the other issue you are referring to?
jeevansd
on 2 Aug 2019
@chetansriv and @v-nagta for visibility.
jeevansd
on 27 Aug 2019
We have our own backend which should talk with Azure AD. If i press test button on saml tab my non-galery app i see in log correct request from MS side to us. But then i open Login url I see the same issue as topic starter.
ayakimov
on 6 Sep 2019
Any update on this, having the same issue with a customer
jakobli
on 18 Sep 2019
@jakobli we solved it. We use python sdk (from OneLogin) and it have .login method which generate valid SamlRequest string (based on provided config). We just added it to https://login.microsoftonline.com/{tenant-id}/saml2SamlRequest=
ayakimov
on 18 Sep 2019
To get this to work we had to configure the Login Redirect URL to https://wd3-impl.workday.com/{tenant}/login-saml2.htmld.
jakobli
on 19 Sep 2019
Hey Guys, i'm not sure if this is a right chain for this question. Hopefully someone can help me.
Were trying to configure Azure SSO for Workday-Test and once Workday is timeout were getting an error message. Is there a specific link to direct it to the myapps.microsoft.com after it Timeout?
prvb120793
on 19 Sep 2019
@prvb120793 see this thread: https://social.msdn.microsoft.com/Forums/SECURITY/en-US/eb2d06e3-1a85-4a70-bf3d-7ed606e58000/workday-sso-with-azure-ad-mobile-app-login-redirect-url-and-timeout-redirect-url?forum=WindowsAzureAD
cap273
on 19 Sep 2019
@jeevansd Hi there, I'm getting the above issue following the documentation for workday too.
Not had any update in a while. Can you confirm please
of your support we provide an upgrade service for EV which is required now to ensure you stay in support and to resolve any potential performance issues.
gabrielmccoll
on 10 Oct 2019
@ayakimov Did you mean https://login.microsoftonline.com/{tenant-id}/saml2?SamlRequest=<base64_data>?
Adding the __question mark__ after sml2.
And, How else can one get a __SamlRequest__ string?
aaroncalderon
on 4 Mar 2020
So, I solved my issue by updating the values of:
- __Login Redirect URL__
- __Mobile App Login Redirect URL__ and
- __Mobile Browser Login Redirect URL__
To https://<workdayhost>/<tenantname>/login-saml2.htmld.
Apparently I was '__Configure Service Provider-Initiated SAML Authentication__'
aaroncalderon
on 5 Mar 2020
No action item is required
please-close
v-nagta
on 8 May 2020
Related issues
JeffLoo-ong
·
3Comments
ianpowell2017
·
3Comments
mrdfuse
·
3Comments
jebeld17
·
3Comments
AronT-TLV
·
3Comments