SAML 'Password, ProtectedTransport'

[Buzás Péter]

HI Community!

I have an issue regarding SAML integration and I need some help.

I try to connect our Reviewboard 5.0.7 docker instance with Azure trough SAML. If I log in to Windows with password, everything is good. If I use bio-metrics or PIN, I get an error message from Azure.

AADSTS75011: Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the MSS-Reviewboard application owner.

When feeding the error to Azures error code tool I get the following message:

Root cause: The application is requesting the user to sign in using a specific method but the user has already authenticated with a different method prior to access the application. For example, in the SAML request the application has a RequestedAuthnContext with the specific AuthnContextClassRef value urn:oasis:names:tc:SAML:2.0:ac:classes:Password but the user has used multifactor authentication to sign in.

Resolution:

• Request to the developer of the application to remove the RequestedAuthnContext from the SAML request.
• Another option is to request the application owner to always prompt the user for a fresh authentication. To accomplish this, the application needs to add the value forceAuthn="true" as a parameter in the request to Microsoft Entra ID.

My question is: Is there something I can do to resolve this conflict in my side? Is there any change in later versions, where this is not an issue? Or can someone help me with any general advice how to proceed?