Error code 578 with EntraID
Hi Team,
I'm trying to setup an enterprise connection with my EntraID tenant but no matter what I do I get the following error when trying to sign in:
I've checked all the details and they all match including the entity ID, identifiers, and certificate (I've tried pasting in just the certificate as well as the entire metadata XML which the user guide seems to suggest doing) but no dice.
I've also tried in a clean browser session with a new user as well as an existing user with the enterprise connection set in their account but haven't had any luck.
Does anyone have any insights on what the error might mean or what to look at next? I haven't been able to find anything in the documentation.
Thanks!
3 Replies
Hi Ewing,
Thanks for bringing this to our attention. Error code 578 indicates that Kinde encountered an issue when validating the SAML response during the callback phase. In other words, the SAML response from your EntraID tenant isn’t passing our validation checks.
Here are a few steps you can try to resolve this issue:
• Ensure that the certificate provided is in the correct PEM format and hasn’t expired. Depending on your configuration, you might need to supply either just the certificate or the full metadata XML. Double-check that the certificate matches exactly what’s configured in your EntraID tenant.
• Verify that the entity IDs, audience, and other identifiers in both your EntraID configuration and Kinde settings are an exact match. Even a small discrepancy can cause validation to fail.
• Confirm that the signature algorithm used by EntraID is supported by Kinde. Sometimes, issues can arise if the algorithm doesn’t match our expectations. Also, if you’re using the full metadata XML, ensure it’s correctly formatted.
• SAML responses are time-sensitive. Please check that your servers and systems are synchronized correctly, as time drift can sometimes cause validation issues.
If you’ve verified all the above and are still encountering error 578, please feel free to send us (with any sensitive information redacted) additional logs or details so we can investigate further.
For more detailed guidance, please see our documentation on Enterprise Connections and SAML integration:
- https://docs.kinde.com/authenticate/enterprise-connections/enterprise-connections-b2b/
- https://docs.kinde.com/authenticate/enterprise-connections/custom-saml/
- https://docs.kinde.com/authenticate/enterprise-connections/enterprise-connections-b2b/
- https://docs.kinde.com/authenticate/enterprise-connections/custom-saml/
Hi Ages,
Thanks for your reply!
I just took a look at the links you've sent through and point 4 on the second link was the key:
I added spn: to my Entity ID in Kinde and voila! It worked straight away. While the Enterprise Application was created yesterday the tenant is about 5 years old.
It might be worth mentioning that on the page for configuring Entra ID as a SAML IDP (https://docs.kinde.com/authenticate/enterprise-connections/entra-id-saml/) 🙂
Thanks again for your help.
Kinde docs
MS Entra ID (SAML) enterprise connection
Our developer tools provide everything you need to get started with Kinde.
Hi Ewing,
That’s fantastic to hear! I'm glad the
spn: prefix was the key to resolving the issue. Thanks for sharing that insight about older Entra ID tenants—it’s a valuable detail that could help others facing the same challenge.
I’ll pass along your feedback about updating the documentation to make this clearer. Let us know if you need any further assistance