Forum Discussion

Deleted's avatar
Deleted
Sep 16, 2019

SSO issue with Slack on Azure AD joined machine

Hi,

 

Our company uses Azure AD, and has integrated SSO with Slack enabled.

 

I am using Edge Beta version (tried with Dev as well) and login to Slack fails on my AAD joined machine with my AAD work account sync enabled profile. 

 

Request Id: 0fdc5271-c48a-40d0-93aa-770bcfd09600
Correlation Id: 17a3aa02-838b-446f-a54c-f146921455ae
Timestamp: 2019-09-16T19:54:54Z
Message: AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.

 

This error doesn't happen on -

  • If the machine is not joined to AAD
  • If the edge user profile is not set to work account sync
  • Other SSO enabled site like Atlassian, Workday, etc.

My guess is that integrated SSO is not negotiating the allowed authentication methods correctly.

  • tomanderson83's avatar
    tomanderson83
    Copper Contributor

    I have seen the same issue a few times, and again just recently when enabling a pilot of passwordless authentication.

     

    What has resolved it for me was to edit my Slack SSO configuration, change the 'AuthnContextClassRef' and set it to 'Don't send this value'. Slack is sending a payload to Azure AD that isn't supported is my suspicion.

     

  • RYC-KLC's avatar
    RYC-KLC
    Copper Contributor

    switching the AuthContextClassRef to urn:oasis:names:tc:SAML:2.0:ac:classes:X509 fixed it for me

     

    This is configured in the Slack SAML configuration, under advanced

Resources