You are trying to configure your SSO plan to use Azure AD as an OIDC provider.

The current state is that:

• The SSO plan set up is complete with Azure AD as the external identity provider.
• The application has been bounded to an SSO service instance that uses the plan previously configured.
• The application can be accessed in a web browser or from an API call and you are being redirected to the external identity provider to authenticate with your Azure AD credentials

Upon providing the correct account credentials, you see an error message similar to the following:

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '<Application-ID>'

This issue happens when the application registered with Azure AD does not know where to respond back because the redirect_uri in the incoming request does not match the reply URL (or redirect URI) configured on the application registered with Azure AD.

In your web browser, the error is presented like this:



Behind the scenes, the request sent by the application (incoming request) looks something like this:

https://login.microsoftonline.com/<TENANT-ID>/oauth2/authorize
Query Parameters
client_id=2a92c12f-####-####-b7d501eeaa473084
response_type=code
redirect_uri=https://azure-dev-sso.login.vmware.com/login/callback/############
state=J67DcQJAJ8
scope=openid
nonce=CQvH0s33YA3j

The client_id is the Application ID that can be found in Azure AD under App registrations. The redirect_uri in the request tells where the response of this request is or where the authorization code must be sent.

Based on the client_id, the application configuration is pulled up by Azure AD to check whether the reply URL (redirect_uri) configured on the application matches the redirect_uri received in the request. If there's a mismatch then an error similar to the one below will be shown. 



In the incoming request, the ORIGIN-KEY is set to ############ (without any dashes) but in the above screenshots the ORIGIN-KEY is set to ####-#####-#### (with dashes)

The reply URL or redirect URI on the application registered with Azure AD follows a certain format:

https://AUTH-DOMAIN.login.SYSTEM-DOMAIN/login/callback/ORIGIN-KEY

• AUTH-DOMAIN - The Auth Domain you entered in Create or Edit Service Plans
• ORIGIN-KEY - Can be found on the SSO Developer Dashboard. In Apps Manager > go to the org and space where the service instance for SSO resides > Open the service by clicking on its name > Click the Manage button to open the SSO Developer Dashboard. 

The following screenshot is from the SSO Developer Dashboard showing the active Identity Provider on the service instance and the name of the ORIGIN-KEY:



Please make sure to look up the value in the dashboard, as it's not always the same as the Identity Provider name, for example, dash characters are stripped out.

Once you have constructed the reply URL based on the format above, make sure the same URL is configured as the redirect URI on the application registered with Azure AD.