Introduction
An app migration can move the live site successfully while SAML single sign-on still posts the login response to the old domain. Users may reach the new application homepage without trouble, but the identity provider continues sending assertions to a retired Assertion Consumer Service endpoint because the SAML configuration was never updated after the cutover. This creates a confusing situation where the application works but SSO-based authentication fails.
Treat this as an SSO endpoint-alignment problem instead of a general authentication outage. Start by checking the exact ACS URL used during the SAML response flow, because one stale hostname in IdP settings or service provider metadata can keep authentication tied to the previous domain after the rest of the app has already moved. This issue is particularly common because SAML configurations exist on both the identity provider and service provider sides, and both must be updated during migration.
The problem frequently appears after domain migrations, application rehosting, or when organizations consolidate applications under new domains. SAML relies on exact URL matching for security, so even small changes (http to https, path changes, hostname changes) require configuration updates on both the IdP (like Okta, Azure AD, or OneLogin) and the service provider application.
Symptoms
- SAML login sends users or assertions to the old domain after app migration
- The identity provider login works, but the final sign-in step fails on callback with errors
- Users see SSO errors only after authentication is handed back to the application
- The new app loads normally, but SAML-based login still reaches the retired hostname
- One identity provider connection works while another still uses the old ACS endpoint
- The issue started after app migration, domain change, or single sign-on reconfiguration
- Browser redirects to old domain after successful IdP authentication
- SAML assertion appears in IdP logs but user never reaches the application
- Different environments (dev, staging, prod) have inconsistent SAML behavior
- Error messages mention ACS URL mismatch or destination validation failure
Common Causes
- The identity provider still stores the old ACS URL for the application in its SAML app configuration
- Service provider metadata still advertises the previous callback domain in its metadata XML
- The entity ID, reply URL, or SSO application settings were copied forward without updating the live endpoint
- Multiple SAML apps or environments exist (dev/staging/prod), and production still uses the wrong one
- Teams validated local login or page access but skipped the full SAML callback path after migration
- The old domain remained reachable long enough to hide the stale ACS configuration during testing
- SP metadata was regenerated but not uploaded to the IdP after migration
- SAML certificate rollover coincided with migration and caused additional confusion
Step-by-Step Fix
- 1.Reproduce the SAML login failure and capture the final destination URL used for the assertion or callback using browser developer tools (Network tab), because you need the real ACS target before changing identity settings.
- 2.Compare the live ACS URL in the SAML response with the intended post-migration domain, path, and HTTPS scheme, because SAML endpoints are strict and even a small mismatch (trailing slash, http vs https) can break login.
- 3.Check the identity provider configuration for the affected SAML app (Okta, Azure AD, OneLogin, etc.) and review the reply URL, ACS URL, sign-on URL, and any related endpoints, because the stale domain often remains on the IdP side after a domain move.
- 4.Review the service provider metadata and application-side SAML settings as well, because the app may still publish or expect the old callback URL even if the IdP was partly updated. Check the metadata URL or XML configuration.
- 5.Confirm that production is using the correct SAML application, certificate set, and environment mapping, because a staging or legacy enterprise app can silently keep the old domain active while the production app appears correct.
- 6.Update the real ACS URL and related SAML endpoint settings only after confirming the new domain is fully ready for sign-in traffic, because changing the wrong environment can create a wider outage. Update both IdP and SP sides.
- 7.Retest the full SAML login flow from the identity provider through the application and verify the response lands on the new domain, because a saved config edit does not prove the live SSO path is fixed.
- 8.Review additional SAML connections, subdomains, or branded login apps if more than one configuration exists, because migrations often fix one identity flow while another still posts to the legacy domain.
- 9.Document the final ACS URL, entity ID, certificate expiration, and IdP/SP ownership after recovery, because SAML settings are easy to miss during future app or domain migrations.
Verification
Confirm the fix is complete:
- 1.Test SAML login from the IdP and verify successful authentication to the new application domain
- 2.Check browser developer tools to confirm the SAML response posts to the new ACS URL
- 3.Verify users can access the application after SSO without errors
- 4.Test with multiple user accounts to ensure consistent behavior
- 5.Check IdP logs to confirm successful SAML assertions to the correct endpoint
Prevention
To avoid this issue in future migrations:
- Document all SAML configurations (IdP and SP sides) before beginning a domain migration
- Update ACS URLs on both IdP and SP as part of the migration checklist
- Test the complete SAML flow after migration, not just application accessibility
- Use separate SAML apps for different environments to avoid confusion
- Keep metadata URLs documented and accessible for quick updates
- Schedule certificate validity checks alongside SAML configuration reviews
- Include SAML endpoint validation in post-migration testing procedures
Related Articles
- [WordPress troubleshooting: Fix S3 Configuration Error - Complete Tr](fix-s3-configuration-error)
- [WordPress troubleshooting: Fix RDS Configuration Error - Complete T](fix-rds-configuration-error)
- [Technical troubleshooting: Fix Certificate Based Client Authentication Mtls C](certificate-based-client-authentication-mtls-cert-cn-mismatch)
- [Fix Fix 8021x Clients Still Authenticating Against Old Policy Server After Migration Issue in Identity & Access](fix-8021x-clients-still-authenticating-against-old-policy-server-after-migration)
- [Fix Active Directory Account Lockout Policy Too Aggressive](fix-active-directory-account-lockout-policy-too-aggressive)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "How to Fix a SAML ACS URL Still Pointing to the Old Domain After App Migration", "description": "Resolve a SAML ACS URL still pointing to the old domain after app migration by checking IdP settings, SP metadata, and stale SSO endpoints.", "url": "https://www.fixwikihub.com/fix-saml-acs-url-still-pointing-to-old-domain-after-app-migration", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2025-10-31T04:18:35.804Z", "dateModified": "2025-10-31T04:18:35.804Z" } </script>