Facing error AADSTS650056: Misconfigured application in an Azure AD SSO application? I will explain in this post how to fix this.
When you trouble shoot AADSTS650056, you will see in the error that it has something to do with the AAD Graph API permissions, identifier or an invalid certificate.
In the documentation from the 3rd party application you may see that AAD Graph API permission is not needed, the identifier url is the same as in the Azure AD enterprise application and the SAML Signing Certificate is valid. I had this in my situation, so I had to continue troubleshooting.
Within the Azure AD enterprise application, you can go to the SSO page, scroll down to step 5 and click on test. Here can you paste the whole error, to get a better understanding about the root cause on why you are getting AADSTS650056.
Request Id: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx Correlation Id: xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx Timestamp: 2020-12-22T09:17:20Z Message: AADSTS650056: Misconfigured application. ….
The resolution guide will tell you what happened with this failed login.
Resolution in my scenario
I was facing this error because the identifier URL in the Azure AD enterprise application did not match, but the documentation tells me it matched and the provider of the 3rd party application tells me also is matched.
So what now, a Microsoft support case? Because another strange part was, that the error message AADSTS650056 shows me a different Application ID, but the Azure AD sign-in logs shows that the right Application is listing to the sign- in. Just before I wanted to make a Microsoft case, I found out a browser plugin called SAML-Tracer. This is a debugger for viewing SAML messages. The SAML-Tracer plugin told me the URL was wrong after all.
How to use the SAML-Tracer
You can download SAML-Tracer here:
After you installed the SAML-Tracer plugin, you can reproduce the issue when the SAML-Tracer is running. You will see some logging while reproducing it, in some line you see SAML in an orange square. Click on that line, open the SAML section and look for the issuer in the line that starts with <saml2:Issuer>. The link that is visible, is the identifier URL that needs to be set in the SSO.
In my scenario the issuer had HTTP instead of HTTPS. After changing the identifier in the SSO, AADSTS650056 has been resolved.
Oh, and yes, I went back to provider of the 3rd Party registration and tell them why this was changed to a less secure HTTP connection.