Configuring RequestedAuthnContext for Entra ID application with PasswordProtectedTransport

Question

Configuring RequestedAuthnContext for Entra ID application with PasswordProtectedTransport

Adel Akilo 0

Can someone provide guidance on how to modify SAML request settings or application manifest to enforce PasswordProtectedTransport for an Entra ID application that requires re-authentication during e-sign process? Currently, only the username is prompted, but I would like to also prompt for password. Any insights on best practices or similar configurations would be greatly appreciated.

1 answer

Your answer

Answer 1

Raja Pothuraju 43,505 Microsoft External Staff Moderator

Hello @Adel Akilo,

Thank you for posting your query on Microsoft Q&A.

Based on your description, it seems that you want users to be prompted to re-authenticate when accessing your SAML application, either by modifying the SAML request or by enforcing PasswordProtectedTransport. Currently, users are being asked to select their username but are not being prompted for a password due to SSO.

It's important to note that the PasswordProtectedTransport AuthnContextClassRef won't force re-authentication; it only indicates the method through which the user authenticated. For more details, please refer to the document on RequestedAuthnContext

If your main goal is to require users to re-authenticate when accessing your application, even if they have an active session with Entra ID, this can only be achieved by setting the ForceAuthn parameter to True.

User's image

AuthnRequest

You need to make this change in the AuthnRequest or SAML request sent by your service provider (application). A sample SAML 2.0 AuthnRequest might look like this:

<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="C2dE3fH4iJ5kL6mN7oP8qR9sT0uV1w" Version="2.0" IssueInstant="2024-08-28T01:08:04.612Z" IsPassive="false" AssertionConsumerServiceURL="https://sptest.iamshowcase.com/acs" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ForceAuthn="false"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">IAMShowcase</Issuer></samlp:AuthnRequest>"

In your request, set the ForceAuthn parameter to True instead of False. This way, when users attempt to access the application, they will be required to re-authenticate even if they have a valid, active session with Entra ID.

You should contact your application service provider to request that they change the ForceAuthn parameter to True in the SAML request.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.

Adel Akilo 0 Reputation points

2024-08-30T17:36:21.3333333+00:00

@Raja Pothuraju ,Thank you very much for your detailed guidance, unfortunately the issue remains.

"We must follow the law which is 21CFR Part 11 that requires at least 2 components.

“(1) Employ at least two distinct identification components such as an identification code and password.”

This is the flow we are currently seeing:

Instead of this -

Note: The expected prompt works well in okta using SWA protocol but not yet in Entra ID using SAML. The app is in dev stage and currently leveraging PingID as MFA.
Raja Pothuraju 43,505 Reputation points Microsoft External Staff Moderator

2024-08-30T20:48:56.7133333+00:00

@Adel Akilo,

Thank you for your response.

If you set the forceAuthn="true" parameter in the SAML request, this issue should not occur. Since you are encountering this error, I recommend re-verifying the SAML request being sent by the application service provider to Entra ID.

Based on the screenshots attached, I see the user has already authenticated prior to access the application and the AuthnContext (authentication method) used for that previous authentication is different from the one being requested. This mismatch in authentication methods is causing the error.

To resolve this issue, you could ask the application team to remove the RequestedAuthnContext value, which is optional.

Another option is to make sure that the RequestedAuthnContext value will be honored. This is done by requesting a fresh authentication. By doing this, when the SAML request is processed, a fresh authentication is done and AuthnContext is honored. In order to request a Fresh Authentication, the SAML request must contain the value, forceAuthn="true".

Please refer to the following document for more details: Troubleshoot Azure Entra ID: Error Code AADSTS75011.

Thanks,
Raja Pothuraju.
Raja Pothuraju 43,505 Reputation points Microsoft External Staff Moderator

2024-09-04T16:05:41.7166667+00:00

Hello @Adel Akilo,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.
Raja Pothuraju 43,505 Reputation points Microsoft External Staff Moderator

2024-09-09T20:30:52.21+00:00

Hello @Adel Akilo,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

Share via

Configuring RequestedAuthnContext for Entra ID application with PasswordProtectedTransport

1 answer

Your answer