AADSTS900561 error when SA IDP is configured as EAM in Entra ID

Version Affected:  [insert version(s) here]

Description:  

When SAIDP is configured as EAM in Entra ID, users may intermittently see the following error:

AADSTS900561: The endpoint only accepts POST requests. Received a GET request

Cause:  

Due to an error on either SAIDP or Entra ID side, the authentication flow gets interrupted, which results in the above error.

Resolution:  

Message="[JwtValidator].[ValidateJwt]: Exception: Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key: kid: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. Exceptions caught: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. token: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at SecureAuth.IdentityModel.OpenIDConnect.Validators.JwtValidator.ValidateJwt(String jwt, String audience, String issuer, SecurityKey securityKey, Boolean validateLifetime)"

As the above error indicates that Entra ID is unable to validate signatures due to mismatch in KID, You will need to capture a HAR trace and look for ID token in the id_token_hint within the call to EAM realm after https://login.microsoftonline.com/common/federation/externalauthproviderredirect and take a note of KID from header of decoded JWT and compare that to the Keys (jwks) endpoint in Entra ID. In order to access the endpoint in Entra ID, you will need to grab the tenant ID (tid) from the HAR trace and hit the following endpoint in a browser:
https://login.microsoftonline.com/[tid]/discovery/keys

This wil confirm that the signature validation is failing for the token issued and signed by Entra ID and not by SA IDP. Since sign-in and audit logs in Entra ID doesn't log any details about this error, Microsoft support needs to be engaged to further investigate the issue.

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.