SAML authentication with Microsoft Entra ID
Freshman Member
I understand this feature is still in beta but we're having the following issue.
All of our devices are already connected to Entra SSO, and it appears that when trying to login, we'll recieve the following error:
AADSTS75011: Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the <Application> application owner.
Upon troubleshooting in Entra, the following cause is provided:
Root cause: The application is requesting the user to sign in using a specific method but the user has already authenticated with a different method prior to access the application. For example, in the SAML request the application has a RequestedAuthnContext with the specific AuthnContextClassRef value urn:oasis:names:tc:SAML:2.0:ac:classes:Password but the user has used multifactor authentication to sign in.
Has this been reported as of yet and is it being worked on? We're keen to implement this as soon as possible.
Thanks!
All Replies
-
Hi @mattmarch,
May I confirm if you follow this FAQ to configure the SAML authentication with Microsoft Entra ID but having an issue when testing?
How to configure SAML authentication with Microsoft Entra ID? — Zyxel Community
Zyxel Melen0 -
Hi @Zyxel_Melen,
Yes, I followed that exact guide to the letter.
I tested an Entra account which isn't tied to my machine and found that worked straight away. There seems to be an issue where the SP is sending the RequestedAuthnContext value back to the IDP but may require another value. Please see the MS KB Post here:
Thanks as always.
0 -
Hi @mattmarch,
Thanks for your update. May I know the difference between the two accounts you used to test? This will help us create an FAQ for other users.
Zyxel Melen0 -
Hi @Zyxel_Melen,
Sure, the only difference is that the test account isn't already logged in and authenticated via the Edge browser, as well as utilizing the 'Microsoft Single Sign On' extension within Chrome. I believe the changes in the way the SP connects to the IDP needs to be reviewed, as we don't have this issue with our other SAML applications.
Thank you.
0 -
@Zyxel_Melen Is there any update on a potential fix for this or any advice from the development team?
0 -
@Zyxel_Melen, it's also worth mentioning that if you're trying to connect using this mode from an iOS device, accepting any sort of authentication prompt from Microsoft is impossible as leaving the captive portal page on iOS will restart the process.
0 -
Hi @mattmarch,
I apologize for the delayed update. Our engineer is checking on it and I will update you once I have further information.
About the iOS device, could you share the version of this device so we can better reproduce this issue?
Zyxel Melen0 -
@Zyxel_Melen, thanks for getting back to me. Currently utilizing the latest iOS 18.3. As you attempt to join the WiFi network using SAML, the captive portal opens and prompts for the user to authenticate with M365. If Microsoft Authenticator is being used, you have to leave the captive portal to accept the 2FA prompt from the Authenticator app, effectively killing the login process as the captive portal has been left.
The alternative solution is to have a text 2FA code sent to the user, but not all businesses allow this and only allow Microsoft Authenticator prompts for MFA.
I hope this helps.
0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 296 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
