The error message "Error - AADSTS75011: Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef" occurs when the AuthnContext
(authentication method) used for the previous authentication is different from the one being requested. This error can occur when the RequestedAuthnContext
value is specified in the SAML request and the user has already authenticated prior to accessing the application. One solution is to request a fresh authentication by including forceAuthn="true"
in the SAML request. Another option is to remove the RequestedAuthnContext
value if possible.
Based on the SAML options provided, it seems that the auth_context
value is set to urn:oasis:names:tc:SAML:1.0:am:password
. This value is not one of the supported authentication context classes recognized by AD FS for WS-Federation passive authentication. Therefore, you may need to update the auth_context
value to one of the supported authentication context classes.
References: