Jul 22 2021
- last edited on
Jan 14 2022
I have just setup SSO for a new enterprise application.
On AzureAD joined machines, it works in Chrome and Edge InPrivate mode. In normal edge, we get the following error:
AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.
I have read about adding the following to SAML request but this is not possible with the vendor currently:
'authnContextClassRef' : false
This only affects AzureAD joined machines on Edge. When I test from a Hybrid joined machine there is no such issue.
Is there any way to resolve this from the Azure side?
Jun 17 2022 05:30 PM
We just ran into this exact same issue today with an application sending the optional/unnecessary RequestedAuthnContext info in the SAML request. But, also narrowed down to only Edge/AAD joined affected. Also, seems to correlate to Primary Refresh Token (PRT) with MFA/Windows Hello being used.
Did you manage to find any solution that wasn't reliant on the software vendor?
Jun 19 2022 08:05 AM
@Born_Slippy in the settings for the 3rd party application I had to disable AuthnContext altogether. Once this was unchecked this resolved the issue for us
Feb 06 2023 09:35 AM
I've seen this specifically with users that log into their computers with PIN or Face ID. Users that login their PC's with traditional password don't seem to run into this issue. The fact that users running other browsers aren't having these issues (just Edge) would seem to imply there should be something in the browser that could be adjusted to solve this issue.