I’m running into an issue where Laserfiche insists that the user’s username/password be exactly specified in the SAML request. Here’s the relevant snippet from the request:
<samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>
Because ADFS isn’t prompting for credentials, it rejects the authentication with a NoAuthnContext status:
<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/> </samlp:StatusCode> </samlp:Status>
The strict Comparison "exact" seems to be preventing ADFS from satisfying the request. My thought is that if Laserfiche could relax this to something like Comparison "minimum", ADFS would accept the default authentication context and pass credentials.
Has anyone encountered this? How can I adjust either the ADFS or Laserfiche configuration so that ADFS will pass the user credentials (or otherwise satisfy the requested authn context) without returning NoAuthnContext? Any pointers or configuration examples would be greatly appreciated!