Resolving Authentication Method Mismatch in Azure AD SSO for Enterprise Applications

Question

I am encountering an issue with an Azure AD Enterprise Application configured for SAML SSO. After enabling stronger MFA capabilities for a specific user, they started receiving the following error when trying to access the app:

Authentication method 'MultiFactor, Fido' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the ManagedAssets application owner.

Setup Details:

1. Application Details:
   • App Name: SnipeIT (https://snipeitapp.com/)
   • Version: v5.4.1 - build 6746 (master)
   • SSO Configuration: SAML Integration
2. Azure AD Configuration:
   • SAML-based SSO is enabled for the application.
   • Conditional Access policies are applied to the app.
   • Authentication Strength: One user has been configured with strong MFA capabilities, including biometrics (FIDO2).
3. Error Context:
   • The error only affects the user whose authentication methods were updated to include stronger MFA.
   • Other accounts using standard password-based or less stringent MFA authentication methods do not encounter this error.

Additional Questions:

1. How can I configure Azure AD or the SAML application to support stronger MFA methods (e.g., FIDO2) for this user without causing a mismatch?
2. Is it possible to modify the application's required authentication methods (e.g., Password, ProtectedTransport) to align with Azure AD's MultiFactor and FIDO2?
3. Are there known limitations or considerations when integrating strong MFA capabilities like biometrics with SAML-based apps?

Thank you kindly for your giving your valuable attention to helping me resolve this challenge.

Answer 1

HI, see this for an explanation on how to fix, its similar:

https://medium.com/@namsoochoi/solved-error-aadsts75011-during-saml-sso-a4abf7ff3946