Error AADSTS50011 when Signing into Entra ID IdP
Apr 23, 2025
Single Sign-On
Overview
When signing into Entra ID as the Identity Provider (IdP) and Okta as the Service Provider (SP), the following error message appears:
Sorry, but we're having trouble signing you in.
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application:
Applies To
- Single Sign-On (SSO)
- Identity providers (IdP)
- Entra ID
Cause
- The Reply URL (Assertion Consumer Service URL) configured in Entra ID is incorrect, or a custom domain was added/removed from Okta.
- The session is initiated from Okta using a domain other than the domain in the Reply URL configured in Entra ID.
Solution
Cause 1
The session is initiated from Okta using a domain other than the domain in the Reply URL configured in Entra ID.
- For example, the user initiates the session from
example.okta.com(default domain), but the Reply URL in Entra ID is configured ascustomexample.com(custom domain) or vice versa.- To resolve the issue, ensure the session is initiated from Okta with the same domain configured as the Reply URL in Entra ID.
Cause 2
Verify Reply URL (Assertion Consumer Service URL) is correct.
- Navigate to the Entra admin center.
- Select the Enterprise Application that is utilized for IdP in Entra ID.
- Within the application, select Single sign-on.
- Navigate to Basic SAML Configuration and click Edit.
- Verify that there is a value in the Reply URL (Assertion Consumer Service URL) and ensure that the value is correct.
