Blemming•2mo ago

Entra ID AADSTS50011

Following step by step the steps here: https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-saml#configure-basic-saml-configuration I am getting an error from microsoft:

Request Id: 2b7ddaae-f4f4-42b5-8024-778566a40800
Correlation Id: 27cd7246-2d6d-4ca9-a4ad-7ca6ee704bd5
Timestamp: 2025-07-29T14:03:25Z
Message: AADSTS50011: The reply URL 'https://xxxxxx/saml/acs' specified in the request does not match the reply URLs configured for the application 'https://xxxxxxxxxx/saml/metadata'. Make sure the reply URL sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/urlMismatchError to learn more about how to fix this.

Request Id: 2b7ddaae-f4f4-42b5-8024-778566a40800
Correlation Id: 27cd7246-2d6d-4ca9-a4ad-7ca6ee704bd5
Timestamp: 2025-07-29T14:03:25Z
Message: AADSTS50011: The reply URL 'https://xxxxxx/saml/acs' specified in the request does not match the reply URLs configured for the application 'https://xxxxxxxxxx/saml/metadata'. Make sure the reply URL sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/urlMismatchError to learn more about how to fix this.

Any pointers ? My project is using Code as OIDC configuration, could this have an impact ?

ZITADEL Docs

Entra ID SAML Configuration

5 Replies

BlemmingOP•2mo ago

I have managed to fix the issue, the UI in zitadel would constantly reset the binding to SAML_BINDING_UNSPECIFIED even after setting it to SAML_BINDING_POST, but now when I try to login using the button the login page simply refreshes, in the events i have : EventTypes.idpintent.started

{
  "failureURL": {
    "ForceQuery": false,
    "Fragment": "",
    "Host": "users-di4rcj.us1.zitadel.cloud",
    "OmitHost": false,
    "Opaque": "",
    "Path": "/ui/v2/login/idp/saml/failure",
    "RawFragment": "",
    "RawPath": "",
    "RawQuery": "requestId=oidc_V2_331169385865577149",
    "Scheme": "https",
    "User": null
  },
  "idpId": "331010118260923255",
  "successURL": {
    "ForceQuery": false,
    "Fragment": "",
    "Host": "users-di4rcj.us1.zitadel.cloud",
    "OmitHost": false,
    "Opaque": "",
    "Path": "/ui/v2/login/idp/saml/success",
    "RawFragment": "",
    "RawPath": "",
    "RawQuery": "requestId=oidc_V2_331169385865577149",
    "Scheme": "https",
    "User": null
  }
}

{
  "failureURL": {
    "ForceQuery": false,
    "Fragment": "",
    "Host": "users-di4rcj.us1.zitadel.cloud",
    "OmitHost": false,
    "Opaque": "",
    "Path": "/ui/v2/login/idp/saml/failure",
    "RawFragment": "",
    "RawPath": "",
    "RawQuery": "requestId=oidc_V2_331169385865577149",
    "Scheme": "https",
    "User": null
  },
  "idpId": "331010118260923255",
  "successURL": {
    "ForceQuery": false,
    "Fragment": "",
    "Host": "users-di4rcj.us1.zitadel.cloud",
    "OmitHost": false,
    "Opaque": "",
    "Path": "/ui/v2/login/idp/saml/success",
    "RawFragment": "",
    "RawPath": "",
    "RawQuery": "requestId=oidc_V2_331169385865577149",
    "Scheme": "https",
    "User": null
  }
}

Rajat•2mo ago

hey @Blemming "code as oidc" doesnt mater, thats about how your app talks to zitadel, not how zitadel talks to Azure AD with SAML. and for the binding, pls try to setting it up via tha API https://zitadel.com/docs/apis/resources/mgmt/management-service-update-saml-provider if it persists(as the UI is not) that means its a bug, we can open an issue for that later, but pls try firing the api, lmk if you need help in setting it up 🙂 also can u pls check if account linking is turned on

BlemmingOP•2mo ago

we have decided to use the microsoft provider template instead of SAML so this can be closed

Rajat•2mo ago

hey @Blemming you can mark my answer with ✅ and it will auto solve the question

Gigi the Giraffe (Zitadel)•2mo ago

@Blemming, you cannot mark your own questions as solved.

Entra ID AADSTS50011

Did you find this page helpful?