Medium severityauthentication
Power BI Error:
AADSTS50008, SAML assertion missing or misconfigured
What does this error mean?
The SAML assertion from your federation provider is missing, malformed, or misconfigured for this Entra ID application.
Common causes
- 1The federated identity provider (ADFS/Okta/Ping/third-party IdP) issued a SAML token without the required assertion or with a malformed assertion
- 2Token-signing certificate on the federation provider has expired or rotated and no longer matches the certificate registered in Entra ID
- 3Issuer (entityID) or Audience URI in the SAML response doesn't match the federation trust configured in Entra ID
- 4Required claims (NameID, ImmutableID/UPN) are missing or mapped to the wrong attribute on the IdP side
- 5Federation trust between the on-prem IdP and Entra ID is broken or out of sync after a tenant or domain change
How to fix it
- 1Capture the failing SAML response (Fiddler, browser SAML-tracer, or IdP logs) and confirm whether the <Assertion> element is present and signed
- 2On the federation provider, verify the token-signing certificate is valid and matches the certificate registered in Entra ID — re-upload it via `Update-MsolFederatedDomain` / `Update-EntraFederatedDomain` if it was rotated
- 3Compare the Issuer and Audience URI in the SAML response against the federation settings in Entra ID (`Get-MsolDomainFederationSettings -DomainName <domain>`) and align them
- 4Validate that NameID / ImmutableID claims on the IdP map to the correct user attribute (typically objectGUID or mS-DS-ConsistencyGuid) and are not empty
- 5If the IdP is ADFS, run `Test-AdfsServerHealth` and check the Microsoft 365 / Entra ID relying party trust for missing claim rules; for third-party IdPs, re-run the federation setup wizard