3204561 - Error AADSTS50011 or AADSTS50105 when trying to authenticate to SuccessFactors via IAS

Symptom

When trying to activate IAS, the user is receiving reply URL faulty error:
The user is receiving the error AADSTS50011 when trying to sign in to an application that has been set up to use Azure AD for identity management using SAML-based SSO:

AADSTS50011: The reply URL 'https://example/saml2/idp/xxx/example.example.example.nl' specified in the request does not match the reply URLs configured for the application 'https://example.example'. Make sure the reply URL sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/urlMismatchError to learn more about how to fix this
The user is receiving the error AADSTS50105 when trying to sign in to an application that has been set up to use Azure AD for identity management using SAML-based SSO:

AADSTS50105: Your administrator has configured the application SAP SuccessFactors Preview SSO to block users unless they are specifically granted ('assigned') access to the application. The signed in user 'xxx' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.

Environment

SAP SuccessFactors HCM Suite

Reproducing the Issue

Go to Admin Center
Access Upgrade Center
Find the upgrade Activate SuccessFactors Identity Authentication Service Integration.
Click Learn More & Upgrade Now
Click Upgrade Now.
Click Confirm.
Click Test Now
The error message appears

Cause

This error is on the Azure side, the AssertionConsumerServiceURL value in the SAML request doesn't match the Reply URL value or pattern configured in Azure AD. The AssertionConsumerServiceURL value in the SAML request is the URL you see in the error.
The customer is using a custom domain that is not configured correctly.

Resolution

-- The information provided does not imply that SAP Cloud Product Support have any expertise in setting up Azure systems for customers. These are merely bits of information that were gathered over time while configuring the SAML SSO with Azure which may help you with a smoother setup. If you require assistance setting up your Microsoft Azure system, please reach out to your consultant, partner, or Microsoft support --

To fix the issue, follow these steps:
1. Ensure that the AssertionConsumerServiceURL value in the SAML request matches the Reply URL value configured in Azure AD.
2. Verify or update the value in the Reply URL textbox to match the AssertionConsumerServiceURL value in the SAML request.
  
  As an example, refer to the following article for detailed steps about how to configure the values in Azure AD: Tutorial: Azure AD SSO integration with Salesforce
  Note: The reply URL is also known as Redirect URI. These values depend on what application is being used. You should get the values from the application vendor.
  After you've updated the Reply URL value in Azure AD, and it matches the value sent by the application in the SAML request, you should be able to sign in to the application.
Check if the customer is using a custom domain in IAS,
- In the IAS Metadata, all the places that are filled by the IAS URL, the user might change to the custom domain.
- In the provisioning, the user might change the URL of Login and Logout to the custom domain.
For error AADSTS50105, you can check this reference from MS documentation -> Error AADSTS50105 - The signed in user is not assigned to a role for the application. | Microsoft Learn

Keywords

Reply URL faulty, Identity Provider, Azure, custom domain, AADSTS50011, SAML-based SSO, AADSTS50105, AssertionConsumerServiceURL, application <GUID>. Reply URL value in Azure AD , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , BC-IAM-IDS , Identity Authentication Service , LOD-SF-RMK-ICS , Internal Career Site Builder (CSB, IAS, etc ...) , How To

Product

SAP SuccessFactors HXM Core 2111