SSO login issue

Question

Hello Team,

I'm using SAML-based Single Sign-On (SSO) with 2FA enabled. Below are the SAML options I'm currently using:

- `force_authn: false`
- `auth_context: { comparison: 'exact', class_refs: ['urn:oasis:names:tc:SAML:1.0:am:password'] }`
- `nameid_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'`
- `sign_get_request: false`
- `allow_unencrypted_assertion: true`

However, I'm encountering the following error for a few users: "Error - AADSTS75011: Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef".

Could you please assist me in resolving this issue? Thank you.

Answer 1

The error message "Error - AADSTS75011: Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef" occurs when the AuthnContext (authentication method) used for the previous authentication is different from the one being requested. This error can occur when the RequestedAuthnContext value is specified in the SAML request and the user has already authenticated prior to accessing the application. One solution is to request a fresh authentication by including forceAuthn="true" in the SAML request. Another option is to remove the RequestedAuthnContext value if possible.

Based on the SAML options provided, it seems that the auth_context value is set to urn:oasis:names:tc:SAML:1.0:am:password. This value is not one of the supported authentication context classes recognized by AD FS for WS-Federation passive authentication. Therefore, you may need to update the auth_context value to one of the supported authentication context classes.

References:

• Error - AADSTS75011 Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef
• Supported SAML authentication context classes