SAML troubleshooting guide
SAML ACS URL mismatch: causes, evidence, and fixes
A SAML ACS URL mismatch happens when the endpoint receiving the SAML Response does not match the ACS URL trusted in metadata or requested during login.
Common symptoms
- IdP rejects the AuthnRequest as untrusted.
- SP rejects the SAML Response after redirect.
- Destination or Recipient differs from the expected ACS URL.
Evidence to collect
- AuthnRequest AssertionConsumerServiceURL.
- SP metadata AssertionConsumerService Location values.
- SAML Response Destination and SubjectConfirmationData Recipient.
Common causes
- Metadata contains an old ACS URL.
- Application sends a dynamic ACS URL not present in metadata.
- Production and test SP settings are mixed.
How to fix or triage it
- Update SP metadata with the exact production ACS URL.
- Make the application emit the same ACS URL trusted by the IdP.
- Coordinate metadata refresh on both sides.
How AccessTrace AI helps
- Compares ACS, Destination, Recipient, and metadata locations.
- Highlights exact URL mismatches.
- Creates clean ticket language for IdP and vendor teams.
Example evidence
AssertionConsumerServiceURL="https://app.example.com/saml/acs" Metadata ACS Location="https://old-app.example.com/saml/acs"
Turn messy access evidence into a report
Paste sanitized SSO, directory, certificate, or access-policy evidence into AccessTrace AI and generate findings, remediation steps, vendor questions, and ticket-ready language.
Start with the free plan