Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.
Hi,
I'm using Power BI Embedded "App owns data" approach. I have created a master user with Pro account in my customer's tenant. When I login with that user in powerbi.com, I get redirected to my organization login page (SAML based), I enter my credential and then redirect back to powerbi.com
Now when I use App owns data approach, my code is failing at this line
// Create a user password credentials.
var credential = new UserPasswordCredential(Username, Password);
// Authenticate using created credentials
var authenticationContext = new AuthenticationContext(AuthorityUrl);
var authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl,
ClientId,
credential);
It says "AADSTS75005: The request is not a valid SAML 2.0 protocol message". I suspect this is because when I'm trying to log in, in the backend it is taking me to my org page which is based on SAML. It goes to a URL like this
How to solve this issue? Can I pass some param so I can bypass this for embedding?
Appreciate help
Ranbeer
Hi Ranbeer,
Please also refer to application-sign-in-problem-federated-sso-non-gallery.md#not-a-valid-saml-request.
Best Regards,
Dale
Hi, I checked,
could it be because Azure supports SAML 2.0, and my org is replying with SAML 1.0 protocol? How to get 2.0 response from my STS URL?
Here's sample response I get with assertion as SAML 1.0
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"><s:Header><add:To xmlns:add="http://www.w3.org/2005/08/addressing">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</add:To><add:Action xmlns:add="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal</add:Action><wsse:Security s:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsu:Timestamp wsu:Id="d0f741a5-960d-47a9-b5b3-7eede0a6b761" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2018-06-05T07:46:04.605Z</wsu:Created><wsu:Expires>2018-06-05T07:51:04.605Z</wsu:Expires></wsu:Timestamp></wsse:Security></s:Header><s:Body><wst13:RequestSecurityTokenResponseCollection xmlns:wst13="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst13:RequestSecurityTokenResponse><wst13:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst13:TokenType><wst13:RequestedSecurityToken> <saml:Assertion AssertionID="ID" IssueInstant="2018-06-05T07:46:04.585Z" Issuer="abc.com" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2018-06-05T07:45:04.585Z" NotOnOrAfter="2018-06-05T07:49:04.585Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:federation:MicrosoftOnline</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement AuthenticationInstant="2018-06-05T07:46:04.585Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
Did you check Cloud.config ?
There is the line to url adress where app should be authorized
Something like this:
add key="authorityUrl"
You can try use something advice from this link:
section:
Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City
Check out the April 2024 Power BI update to learn about new features.
User | Count |
---|---|
14 | |
2 | |
2 | |
1 | |
1 |