Forum Discussion
AADSTS75011 by which the user authenticated with the service doesn't match requested authentication
Hello Josse,
The error message that you are getting is because the authentication request sent by the application is not accepted by azure AD.
Note :- "PasswordProtectedTransport" is a parameter which is included when the authentication request is sent to the IDP using SAML.
Below mentioned is an example of sample saml auth request,
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
Check it from the rfc of saml - http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
The purpose of this parameter is prompt user to enter credentials even if sso is enabled in the enterprise.
Now I am not really sure what is happening with this request, if you look closely there is a ","
between password and protected transport.
Also below mentioned is a sample saml request that should be sent to azure ad -
<samlp:AuthnRequest
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="id6c1c178c166d486687be4aaf5e482730"
Version="2.0" IssueInstant="2013-03-18T03:28:54.1839884Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.contoso.com</Issuer>
</samlp:AuthnRequest>
Also please refer to the article mentioned above :-
RequestAuthnContext
The RequestedAuthnContext element specifies the desired authentication methods. It is optional in AuthnRequest elements sent to Azure AD. Azure AD supports only one AuthnContextClassRef value: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
In order to get this fixed, I think you can ask your developer to change the authentication request for this application.
Regards,
Rishabh
thanks for your reply!
I am not a developer at all, but basically what you are saying is:
classes:PasswordProtectedTransport --> most probably this causes the problem
classes:Password --> this will work?
Is this correct? I will ask the developer to look futher into this.
Regards,
Josse
Yes, it will work and you can also share this article with him.
If still it doesn't work, let me know.
Regards,
Rishabh
Hello,
This is the code that is being used and is causing the error.
Note that some values have been anonymized.
Can you see anything wrong?
Regards Jossevar express = require('express');
var path = require('path');
var favicon = require('serve-favicon');
var logger = require('morgan');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var passport = require('passport');
var session = require('express-session');
var fs = require('fs');
var SamlStrategy = require('passport-saml').Strategy;
var kSSODomain = "";
passport.serializeUser(function (user, done) {
done(null, user);
});
passport.deserializeUser(function (user, done) {
done(null, user);
});
passport.use(new SamlStrategy(
{
callbackUrl: 'https://www.domain.com/sso',
entryPoint: 'https://login.windows.net/8888888-8888-8888-8888-8888888888888/saml2',
issuer: '8888888-8888-8888-8888-8888888888888',
cert: fs.readFileSync('sso-prd.cer', 'utf-8'),
signatureAlgorithm: 'sha256'
},
function(profile, done) {
console.log(profile);
console.log(done);
return done(null,
{
id: profile['nameID'],
// email: profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
email: profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
displayName: profile['http://schemas.microsoft.com/identity/claims/displayname'],
firstName: profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'],
lastName: profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']
});
})
);
var index = require('./routes/index');
var users = require('./routes/users');
function findByEmail(email, fn) {
vwapi.userFind(email, function(error, body) {
// console.log(body.result);
if (!error && body.result.substring(0,2) == "OK") {
return fn(error, body.data);
}
return fn(error, null);
});
};
var app = express();
// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'ejs');
app.use(logger('dev'));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(cookieParser());
app.use(session(
{
resave: true,
saveUninitialized: true,
secret: 'removedthis'
}));
app.use(passport.initialize());
app.use(passport.session());
app.use(express.static(path.join(__dirname, 'public')));
app.use('/saml2/', index);
//app.use('/saml2/users', users);
app.get('/saml2/login', (req, res) => {
res.redirect('/saml2/handlelogin');
});
app.get('/saml2/handlelogin',
passport.authenticate('saml', {
successRedirect: '/account/home',
failureRedirect: '/login'
})
);
app.post('/sso',
passport.authenticate('saml', {
failureRedirect: '/account/login',
failureFlash: true }),
function(req, res) {
var profile = req.session.passport.user;
console.log(profile);
validatedUser(req, res, profile);
}
);
function validatedUser(req, res, profile) {
}
// catch 404 and forward to error handler
app.use(function(req, res, next) {
var err = new Error('Not Found');
err.status = 404;
next(err);
});
// error handler
app.use(function(err, req, res, next) {
// set locals, only providing error in development
res.locals.message = err.message;
res.locals.error = req.app.get('env') === 'development' ? err : {};
// render the error page
res.status(err.status || 500);
res.render('error');
});
module.exports = app;Josse Huizen Did you ever resolve this? Seeing the exact same behavior with a third party provider/app.
