SAML authentication with Microsoft Entra ID
Freshman Member
I understand this feature is still in beta but we're having the following issue.
All of our devices are already connected to Entra SSO, and it appears that when trying to login, we'll recieve the following error:
AADSTS75011: Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the <Application> application owner.
Upon troubleshooting in Entra, the following cause is provided:
Root cause: The application is requesting the user to sign in using a specific method but the user has already authenticated with a different method prior to access the application. For example, in the SAML request the application has a RequestedAuthnContext with the specific AuthnContextClassRef value urn:oasis:names:tc:SAML:2.0:ac:classes:Password but the user has used multifactor authentication to sign in.
Has this been reported as of yet and is it being worked on? We're keen to implement this as soon as possible.
Thanks!
All Replies
-
Hi @mattmarch,
May I confirm if you follow this FAQ to configure the SAML authentication with Microsoft Entra ID but having an issue when testing?
How to configure SAML authentication with Microsoft Entra ID? — Zyxel Community
Zyxel Melen0 -
Hi @Zyxel_Melen,
Yes, I followed that exact guide to the letter.
I tested an Entra account which isn't tied to my machine and found that worked straight away. There seems to be an issue where the SP is sending the RequestedAuthnContext value back to the IDP but may require another value. Please see the MS KB Post here:
Thanks as always.
0 -
Hi @mattmarch,
Thanks for your update. May I know the difference between the two accounts you used to test? This will help us create an FAQ for other users.
Zyxel Melen0 -
Hi @Zyxel_Melen,
Sure, the only difference is that the test account isn't already logged in and authenticated via the Edge browser, as well as utilizing the 'Microsoft Single Sign On' extension within Chrome. I believe the changes in the way the SP connects to the IDP needs to be reviewed, as we don't have this issue with our other SAML applications.
Thank you.
0 -
@Zyxel_Melen Is there any update on a potential fix for this or any advice from the development team?
0 -
@Zyxel_Melen, it's also worth mentioning that if you're trying to connect using this mode from an iOS device, accepting any sort of authentication prompt from Microsoft is impossible as leaving the captive portal page on iOS will restart the process.
0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 294 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 253 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
