Configuring RequestedAuthnContext for Entra ID application with PasswordProtectedTransport

Adel Akilo 0 Reputation points
2024-08-22T15:42:20.3133333+00:00

Can someone provide guidance on how to modify SAML request settings or application manifest to enforce PasswordProtectedTransport for an Entra ID application that requires re-authentication during e-sign process? Currently, only the username is prompted, but I would like to also prompt for password. Any insights on best practices or similar configurations would be greatly appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,262 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Raja Pothuraju 4,705 Reputation points Microsoft Vendor
    2024-08-28T01:45:04.5966667+00:00

    Hello @Adel Akilo,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, it seems that you want users to be prompted to re-authenticate when accessing your SAML application, either by modifying the SAML request or by enforcing PasswordProtectedTransport. Currently, users are being asked to select their username but are not being prompted for a password due to SSO.

    It's important to note that the PasswordProtectedTransport AuthnContextClassRef won't force re-authentication; it only indicates the method through which the user authenticated. For more details, please refer to the document on RequestedAuthnContext

    If your main goal is to require users to re-authenticate when accessing your application, even if they have an active session with Entra ID, this can only be achieved by setting the ForceAuthn parameter to True.

    User's image

    AuthnRequest

    You need to make this change in the AuthnRequest or SAML request sent by your service provider (application). A sample SAML 2.0 AuthnRequest might look like this:

    <samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="C2dE3fH4iJ5kL6mN7oP8qR9sT0uV1w" Version="2.0" IssueInstant="2024-08-28T01:08:04.612Z" IsPassive="false" AssertionConsumerServiceURL="https://sptest.iamshowcase.com/acs" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ForceAuthn="false"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">IAMShowcase</Issuer></samlp:AuthnRequest>"
    

    In your request, set the ForceAuthn parameter to True instead of False. This way, when users attempt to access the application, they will be required to re-authenticate even if they have a valid, active session with Entra ID.

    You should contact your application service provider to request that they change the ForceAuthn parameter to True in the SAML request.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.