Share via

SSO login issue

Jey 0 Reputation points
2024-05-14T14:08:25.1366667+00:00

Hello Team,

I'm using SAML-based Single Sign-On (SSO) with 2FA enabled. Below are the SAML options I'm currently using:

- `force_authn: false`
- `auth_context: { comparison: 'exact', class_refs: ['urn:oasis:names:tc:SAML:1.0:am:password'] }`
- `nameid_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'`
- `sign_get_request: false`
- `allow_unencrypted_assertion: true`

However, I'm encountering the following error for a few users: "Error - AADSTS75011: Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef".

Could you please assist me in resolving this issue? Thank you.

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2024-05-14T14:08:25.1566667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error message "Error - AADSTS75011: Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef" occurs when the AuthnContext (authentication method) used for the previous authentication is different from the one being requested. This error can occur when the RequestedAuthnContext value is specified in the SAML request and the user has already authenticated prior to accessing the application. One solution is to request a fresh authentication by including forceAuthn="true" in the SAML request. Another option is to remove the RequestedAuthnContext value if possible.

    Based on the SAML options provided, it seems that the auth_context value is set to urn:oasis:names:tc:SAML:1.0:am:password. This value is not one of the supported authentication context classes recognized by AD FS for WS-Federation passive authentication. Therefore, you may need to update the auth_context value to one of the supported authentication context classes.

    References:

    0 comments
  2. Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator
    2024-06-06T08:32:17.2033333+00:00

    @Jey

    Cause:

    The RequestedAuthnContext is in the SAML request. This means the app is expecting the AuthnContext specified by the AuthnContextClassRef. However, the user has already authenticated prior to access the application and the AuthnContext (authentication method) used for that previous authentication is different from the one being requested. For example, a federated user access to MyApps and WIA occurred. The AuthnContextClassRef will be urn:federation:authentication:windows. Microsoft Entra ID won't perform a fresh authentication request, it will use the authentication context that was passed-through it by the IdP (ADFS or any other federation service in this case). Therefore, there will be a mismatch if the app requests other than urn:federation:authentication:windows. Another scenario is when MultiFactor was used: 'X509, MultiFactor.

    Resolution:

    RequestedAuthnContext is an optional value. If possible, ask the application if the value could be removed.

    Another option is to make sure that the RequestedAuthnContext value will be honored. This is done by requesting a fresh authentication. By doing this, when the SAML request is processed, a fresh authentication is done and AuthnContext is honored. In order to request a Fresh Authentication, the SAML request must contain the value, forceAuthn="true".

    Let me know if you have any further questions,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.