You are viewing limited content. For full access, please sign in.

Question

Question

Error while using SAML authentication. Authentication method 'X509, MultiFactor'

Laserfiche Version 11 Administration
Updated March 10, 2023
asked on March 9, 2023

I have recently updated my LF client to 11 (11.0.2301.262). I now get an error when using my STS(Directory server) site to sign into my repository using SAML. 

I have seen this error before when my users try and use Edge to sign into Web Access. The fix is to use Chrome and it works. I don't know why that works but it does. 

Now I'm getting the error when using the Client software and I have no idea how to fix it. I CAN NOT log into my repository right now because of this error. Any idea why the new version of Client would get this error and not a previous one? How can I resolve this? 

0 0

Answer

SELECTED ANSWER
replied on March 9, 2023

For the AADSTS 750011 – auth method mismatch issue, please try updating the LFDS Azure AD SAML configuration’s “Authentication Context” value to:

  • urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

The “unspecified” class value above should allow the SP (LFDS) to accept any auth method from the IDP (AAD).

LFDS defaults to urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, the most common method. It is not currently possible to have LFDS send multiple Authentication Context values in its SAML request, so the “unspecified” value works as an "allow any".

1 0
replied on March 9, 2023

This issue was confusing because Microsoft was requesting to remove RequestedAuthnContext but what you just removed with this new value was nameid-format replacing it with classes.

0 0
replied on March 9, 2023 Show version history

That is not correct.

The Microsoft AADSTS 750011 error is describing a mismatch between the RequestedAuthnContext of urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport in the LFDS SAML request and the AuthnContext Azure AD is configured to use or used for a prior AAD auth session.

AAD is not requesting to "remove RequestedAuthnContext" - that's not even a concept in the SAML 2.0 specification. The Microsoft link in my post above describes the issue in more detail.

Name ID format is an entirely different field. You can see the LFDS defaults here:

The fix involves replacing the default LFDS Authentication context value of urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport with urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

There were no changes to the Name ID format attribute and its default value of urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified in this fix.

LFDS11-SAML-IdP-DefaultConfigValues-20230309.jpg
LFDS11-SAML-IdP-DefaultConfigValues-20230309.jpg (27.67 KB)
Download
0 0
replied on March 10, 2023

Oh sorry I read the wrong value when trying to compare to see what you were having Lucas replace. It also started with the same characters, urn:oasis.

So PasswordProtectedTransport needed to be replaced with unspecified.

What was confusing for all of us was that the resolution from Microsoft simply said:

"RequestedAuthnContext is an optional value. Then, if possible, ask the application if it could be removed. (or make sure it will be honored)" frown

It was very difficult to decipher what they were asking us to do. When they said "ask the application" I could only think this meant ask the application developers to change something in the code. Especially when something is written in camel case like this, it sounds like it is for developers.

It seems that PasswordProtectedTransport was the RequestedAuthnContext and by stating unspecified we removed it or honored it.

0 0

Replies

replied on March 9, 2023

Thanks, Samuel. That seemed to fix it. 

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Attachments
Related Posts
Loading ...