Symptom
- When trying to activate IAS, the user is receiving reply URL faulty error:
- The user is receiving the error AADSTS50011 when trying to sign in to an application that has been set up to use Azure AD for identity management using SAML-based SSO:
AADSTS50011: The reply URL 'https://example/saml2/idp/xxx/example.example.example.nl' specified in the request does not match the reply URLs configured for the application 'https://example.example'. Make sure the reply URL sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/urlMismatchError to learn more about how to fix this - The user is receiving the error AADSTS50105 when trying to sign in to an application that has been set up to use Azure AD for identity management using SAML-based SSO:
AADSTS50105: Your administrator has configured the application SAP SuccessFactors Preview SSO to block users unless they are specifically granted ('assigned') access to the application. The signed in user 'xxx' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.
Environment
SAP SuccessFactors HCM Suite
Reproducing the Issue
- Go to Admin Center
- Access Upgrade Center
- Find the upgrade Activate SuccessFactors Identity Authentication Service Integration.
- Click Learn More & Upgrade Now
- Click Upgrade Now.
- Click Confirm.
- Click Test Now
- The error message appears
Cause
- This error is on the Azure side, the AssertionConsumerServiceURL value in the SAML request doesn't match the Reply URL value or pattern configured in Azure AD. The AssertionConsumerServiceURL value in the SAML request is the URL you see in the error.
- The customer is using a custom domain that is not configured correctly.
Resolution
-- The information provided does not imply that SAP Cloud Product Support have any expertise in setting up Azure systems for customers. These are merely bits of information that were gathered over time while configuring the SAML SSO with Azure which may help you with a smoother setup. If you require assistance setting up your Microsoft Azure system, please reach out to your consultant, partner, or Microsoft support --
- To fix the issue, follow these steps:
- Ensure that the AssertionConsumerServiceURL value in the SAML request matches the Reply URL value configured in Azure AD.
- Verify or update the value in the Reply URL textbox to match the AssertionConsumerServiceURL value in the SAML request.
As an example, refer to the following article for detailed steps about how to configure the values in Azure AD: Tutorial: Azure AD SSO integration with Salesforce
Note: The reply URL is also known as Redirect URI. These values depend on what application is being used. You should get the values from the application vendor.
After you've updated the Reply URL value in Azure AD, and it matches the value sent by the application in the SAML request, you should be able to sign in to the application.
- Check if the customer is using a custom domain in IAS,
- In the IAS Metadata, all the places that are filled by the IAS URL, the user might change to the custom domain.
- In the provisioning, the user might change the URL of Login and Logout to the custom domain.
- For error AADSTS50105, you can check this reference from MS documentation -> Error AADSTS50105 - The signed in user is not assigned to a role for the application. | Microsoft Learn
See Also
- Error AADSTS50105 - The signed in user is not assigned to a role for the application. | Microsoft Learn
- Error AADSTS50011 - The reply URL specified in the request does not match the reply URLs configured for the application <GUID>. | Microsoft Learn
- KBA - 2348735 - [SSO] Single Sign On setup between Microsoft Azure and SuccessFactors
Keywords
Reply URL faulty, Identity Provider, Azure, custom domain, AADSTS50011, SAML-based SSO, AADSTS50105, AssertionConsumerServiceURL, application <GUID>. Reply URL value in Azure AD , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , BC-IAM-IDS , Identity Authentication Service , LOD-SF-RMK-ICS , Internal Career Site Builder (CSB, IAS, etc ...) , How To