You are viewing limited content. For full access, please sign in.

Question

Question

Directory Server Support for Multiple SAML Authentication Context Classes

Directory Server Administration
Updated December 21, 2022
asked on June 14, 2021 Show version history

Are there plans to support multiple SAML authentication context classes (RequestedAuthnContext) in an upcoming release of Directory Server?  From the documentation, it appears that in the current release, only a single authentication class can be specified.  In a future release, I would like to be able to allow users to authenticate either via password or X.509 based hardware security tokens.

0 0

Answer

APPROVED ANSWER SELECTED ANSWER
replied on June 14, 2021

Hi David,

This is not on our roadmap at this time but it is recorded in our backlog and we'll consider it in the future (work item 218025 for your records).

One thing that's worth a shot is using value "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" though I am not sure if it will work in your use case.

3 0
replied on June 14, 2021

Unspecified does indeed allow me to select either to authenticate in Azure AD using either password or hardware token, and successfully sign in to the Directory Server.  Thanks for such a quick and helpful response.

0 0
replied on June 14, 2021

Perfect, I'm glad to have helped!

0 0
replied on December 21, 2022

I can confirm this solution worked for us as well! Thanks, Karim for finding this post.

 

Either specifying multiple contexts, having the ability to eliminate that ask in the SAML payload, and/or allowing the ability to force the reauth (forceAuthn="true") would be good.

Error - AADSTS75011 Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef. - Active Directory | Microsoft Learn

0 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...