Error code 578 with EntraID
Hi Team,
I'm trying to setup an enterprise connection with my EntraID tenant but no matter what I do I get the following error when trying to sign in:
I've checked all the details and they all match including the entity ID, identifiers, and certificate (I've tried pasting in just the certificate as well as the entire metadata XML which the user guide seems to suggest doing) but no dice.
I've also tried in a clean browser session with a new user as well as an existing user with the enterprise connection set in their account but haven't had any luck.
Does anyone have any insights on what the error might mean or what to look at next? I haven't been able to find anything in the documentation.
Thanks!
6 Replies
Hi Ewing,
Thanks for bringing this to our attention. Error code 578 indicates that Kinde encountered an issue when validating the SAML response during the callback phase. In other words, the SAML response from your EntraID tenant isn’t passing our validation checks.
Here are a few steps you can try to resolve this issue:
• Ensure that the certificate provided is in the correct PEM format and hasn’t expired. Depending on your configuration, you might need to supply either just the certificate or the full metadata XML. Double-check that the certificate matches exactly what’s configured in your EntraID tenant.
• Verify that the entity IDs, audience, and other identifiers in both your EntraID configuration and Kinde settings are an exact match. Even a small discrepancy can cause validation to fail.
• Confirm that the signature algorithm used by EntraID is supported by Kinde. Sometimes, issues can arise if the algorithm doesn’t match our expectations. Also, if you’re using the full metadata XML, ensure it’s correctly formatted.
• SAML responses are time-sensitive. Please check that your servers and systems are synchronized correctly, as time drift can sometimes cause validation issues.
If you’ve verified all the above and are still encountering error 578, please feel free to send us (with any sensitive information redacted) additional logs or details so we can investigate further.
For more detailed guidance, please see our documentation on Enterprise Connections and SAML integration:
- https://docs.kinde.com/authenticate/enterprise-connections/enterprise-connections-b2b/
- https://docs.kinde.com/authenticate/enterprise-connections/custom-saml/
- https://docs.kinde.com/authenticate/enterprise-connections/enterprise-connections-b2b/
- https://docs.kinde.com/authenticate/enterprise-connections/custom-saml/
Hi Ages,
Thanks for your reply!
I just took a look at the links you've sent through and point 4 on the second link was the key:
I added spn: to my Entity ID in Kinde and voila! It worked straight away. While the Enterprise Application was created yesterday the tenant is about 5 years old.
It might be worth mentioning that on the page for configuring Entra ID as a SAML IDP (https://docs.kinde.com/authenticate/enterprise-connections/entra-id-saml/) 🙂
Thanks again for your help.
Kinde docs
MS Entra ID (SAML) enterprise connection
Our developer tools provide everything you need to get started with Kinde.
Hi Ewing,
That’s fantastic to hear! I'm glad the
spn: prefix was the key to resolving the issue. Thanks for sharing that insight about older Entra ID tenants—it’s a valuable detail that could help others facing the same challenge.
I’ll pass along your feedback about updating the documentation to make this clearer. Let us know if you need any further assistanceI just encountered this same error code but ignored the suggestion (initially) regarding
spn: because I didn't think my app was old - I just created the Microsoft Enterprise Application today. I banged away at changing config for the past two hours to no avail. I finally gave the spn: suggesting a try and it actually did resolve my problem! Not sure why, but I'm grateful for this info.
I'm now encountering a separate issue where after authenticating, I'm immediately signed out. Any idea what would cause this?
You can ignore the above message. It was because the "Name ID Format" wasn't set and apparently matters in this case. Additionally, my claims needed configuring to ensure that the email address was coming over in the correct claims and that First Name / Last Name were actually set on the user so they'd populate in Kinde
Hi Ryno,
Thanks for reaching out, Just to double-check, had you already tried following the steps outlined in our current documentation, including adding the
spn: prefix to the Entity ID and setting the Name ID Format?
In the documentation :
“If Microsoft is your provider and your app is a bit older, you may need to add spn: to the beginning of the Entity ID string in Kinde.”
This can apply even to newly created enterprise applications if the Entra ID tenant itself is older, which appears to be the case for a few other users as well.
Let me know how it goes.