Jul 22 2021
- last edited on
Jan 14 2022
I have just setup SSO for a new enterprise application.
On AzureAD joined machines, it works in Chrome and Edge InPrivate mode. In normal edge, we get the following error:
AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.
I have read about adding the following to SAML request but this is not possible with the vendor currently:
'authnContextClassRef' : false
This only affects AzureAD joined machines on Edge. When I test from a Hybrid joined machine there is no such issue.
Is there any way to resolve this from the Azure side?
Jun 17 2022 05:30 PM
We just ran into this exact same issue today with an application sending the optional/unnecessary RequestedAuthnContext info in the SAML request. But, also narrowed down to only Edge/AAD joined affected. Also, seems to correlate to Primary Refresh Token (PRT) with MFA/Windows Hello being used.
Did you manage to find any solution that wasn't reliant on the software vendor?
Jun 19 2022 08:05 AM
@Born_Slippy in the settings for the 3rd party application I had to disable AuthnContext altogether. Once this was unchecked this resolved the issue for us