Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!
Hi,
I'm using Power BI Embedded "App owns data" approach. I have created a master user with Pro account in my customer's tenant. When I login with that user in powerbi.com, I get redirected to my organization login page (SAML based), I enter my credential and then redirect back to powerbi.com
Now when I use App owns data approach, my code is failing at this line
// Create a user password credentials.
var credential = new UserPasswordCredential(Username, Password);
// Authenticate using created credentials
var authenticationContext = new AuthenticationContext(AuthorityUrl);
var authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl,
ClientId,
credential);
It says "AADSTS75005: The request is not a valid SAML 2.0 protocol message". I suspect this is because when I'm trying to log in, in the backend it is taking me to my org page which is based on SAML. It goes to a URL like this
How to solve this issue? Can I pass some param so I can bypass this for embedding?
Appreciate help
Ranbeer
Hi Ranbeer,
Please also refer to application-sign-in-problem-federated-sso-non-gallery.md#not-a-valid-saml-request.
Best Regards,
Dale
Hi, I checked,
could it be because Azure supports SAML 2.0, and my org is replying with SAML 1.0 protocol? How to get 2.0 response from my STS URL?
Here's sample response I get with assertion as SAML 1.0
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"><s:Header><add:To xmlns:add="http://www.w3.org/2005/08/addressing">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</add:To><add:Action xmlns:add="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal</add:Action><wsse:Security s:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsu:Timestamp wsu:Id="d0f741a5-960d-47a9-b5b3-7eede0a6b761" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2018-06-05T07:46:04.605Z</wsu:Created><wsu:Expires>2018-06-05T07:51:04.605Z</wsu:Expires></wsu:Timestamp></wsse:Security></s:Header><s:Body><wst13:RequestSecurityTokenResponseCollection xmlns:wst13="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst13:RequestSecurityTokenResponse><wst13:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst13:TokenType><wst13:RequestedSecurityToken> <saml:Assertion AssertionID="ID" IssueInstant="2018-06-05T07:46:04.585Z" Issuer="abc.com" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2018-06-05T07:45:04.585Z" NotOnOrAfter="2018-06-05T07:49:04.585Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:federation:MicrosoftOnline</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement AuthenticationInstant="2018-06-05T07:46:04.585Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
Did you check Cloud.config ?
There is the line to url adress where app should be authorized
Something like this:
add key="authorityUrl"
You can try use something advice from this link:
section:
User | Count |
---|---|
15 | |
2 | |
1 | |
1 | |
1 |
User | Count |
---|---|
16 | |
11 | |
5 | |
4 | |
3 |