Problem: SSO Login to Microsoft 365 Fails with Azure AD Error 500089

Knowledge Base Community
, , ,
1

SSO Login to Microsoft 365 Fails with Azure AD Error 500089 (SAML 2.0 Assertion Validation Failed)

Problem

A customer reported that Single Sign-On (SSO) for Microsoft 365 stopped working. Reconfiguring SSO did not resolve the issue.

During login, authentication fails. In Microsoft Azure Active Directory the following error is displayed for the corresponding sign-in attempt:

  • Date: 20/01/2026, 11:20:18
  • Request ID: da7b103e-27c5-40ca-a56d-4484f79e3c00
  • Correlation ID: 9c539662-ba71-4908-9256-0f667b0c187f
  • Authentication Request: Single-factor authentication
  • Agent Type: Non-agentic
  • Status: Failure
  • Sign-in Error Code: 500089
  • Failure Reason:
    SAML 2.0 assertion validation failed

Investigation

Error 500089 in Microsoft Azure Active Directory indicates that the SAML assertion issued by the Identity Provider (IdP) could not be validated.

The following checks should be performed:

1. Verify System Time Synchronization

SAML assertions are time-sensitive. If the system clocks between the UCS Identity Provider and Azure AD differ significantly, Azure AD will reject the assertion.

Check:

  • System time on the UCS server
  • Time zone configuration
  • NTP synchronization status
  • Time configuration in Azure AD

Use:

timedatectl

Verify that:

  • Local time and UTC time are correct
  • The correct time zone is set
  • System clock synchronization is enabled

2. Verify Certificate Validity

An expired or invalid certificate used for signing the SAML assertion can also cause this error.

Check the following log files for additional details:

/var/log/univention/management-console-module-office365.log
/var/log/univention/listener.log

Further guidance on validating the Office 365 certificate can be found here:

https://help.univention.com/t/problem-office-365-aadsts700027-the-certificate-with-identifier-used-to-sign-the-client-assertion-is-not-registered-on-application/23196#p-74345-h-1-check-if-the-certificate-from-your-office-365-is-valid-4

Root Cause

The system time between the UCS server and Microsoft Azure Active Directory was not synchronized.

The clock on the UCS server had drifted and was no longer accurate. Because SAML assertions contain strict validity timestamps (NotBefore / NotOnOrAfter), Microsoft rejected the authentication requests.

Solution

Correct the system time on the UCS server and ensure proper time synchronization.

Option 1: Manually Synchronize Time via Gateway

Example using the gateway IP address:

rdate -n 10.200.30.1

Option 2: Adjust Time Using timedatectl

Check current time settings:

timedatectl

Example output:

Local time: Tue 2026-02-17 11:06:55 CET
Universal time: Tue 2026-02-17 10:06:55 UTC
Time zone: Europe/Berlin (CET, +0100)
System clock synchronized: yes

If necessary, manually set the correct time:

timedatectl set-time "2026-02-17 12:06:55"

After correction, verify:

timedatectl

Recommended Best Practice

Instead of setting the time manually, enable NTP synchronization to prevent future drift:

timedatectl set-ntp true

Verify synchronization status:

timedatectl timesync-status

Ensure that:

  • System clock synchronized: yes
  • A valid NTP source is configured

Conclusion

Azure AD error 500089 (“SAML 2.0 assertion validation failed”) can be caused by:

  • Unsynchronized system time between UCS and Azure AD
  • Expired or invalid SAML signing certificate

In this case, correcting the system time on the UCS server resolved the issue immediately and restored SSO functionality for Microsoft 365.