Resolving Authentication Method Mismatch in Azure AD SSO for Enterprise Applications

Angel Fontalvo Avila 25 Reputation points
2024-11-14T20:07:35.8+00:00

I am encountering an issue with an Azure AD Enterprise Application configured for SAML SSO. After enabling stronger MFA capabilities for a specific user, they started receiving the following error when trying to access the app:

Authentication method 'MultiFactor, Fido' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the ManagedAssets application owner.

Setup Details:

  1. Application Details:
    • App Name: SnipeIT (https://snipeitapp.com/)
    • Version: v5.4.1 - build 6746 (master)
    • SSO Configuration: SAML Integration
  2. Azure AD Configuration:
    • SAML-based SSO is enabled for the application.
    • Conditional Access policies are applied to the app.
    • Authentication Strength: One user has been configured with strong MFA capabilities, including biometrics (FIDO2).
  3. Error Context:
    • The error only affects the user whose authentication methods were updated to include stronger MFA.
    • Other accounts using standard password-based or less stringent MFA authentication methods do not encounter this error.

Additional Questions:

  1. How can I configure Azure AD or the SAML application to support stronger MFA methods (e.g., FIDO2) for this user without causing a mismatch?
  2. Is it possible to modify the application's required authentication methods (e.g., Password, ProtectedTransport) to align with Azure AD's MultiFactor and FIDO2?
  3. Are there known limitations or considerations when integrating strong MFA capabilities like biometrics with SAML-based apps?

Thank you kindly for your giving your valuable attention to helping me resolve this challenge.

Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
155 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,649 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 151K Reputation points MVP
    2024-11-14T21:06:16.16+00:00

    HI, see this for an explanation on how to fix, its similar:

    https://medium.com/@namsoochoi/solved-error-aadsts75011-during-saml-sso-a4abf7ff3946

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.