Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO: Unable to sign-in with Entra when user logged in via other method #3518

Closed
knolleary opened this issue Feb 27, 2024 · 1 comment · Fixed by #3519
Closed

SSO: Unable to sign-in with Entra when user logged in via other method #3518

knolleary opened this issue Feb 27, 2024 · 1 comment · Fixed by #3519
Assignees
@knolleary
Labels
bug Something isn't working customer request requested by customer needs-triage Needs looking at to decide what to do size:M - 3 Sizing estimation point

Comments

@knolleary
Copy link
Member

knolleary commented Feb 27, 2024
edited
Loading

Current Behavior

A self-hosted user reports:

I've configured SSO in FlowFuse and I've got the app registered with Entra ID, but I'm getting this error:

AADSTS75011: Authentication method 'X509, MultiFactor, PasswordlessPhoneSignIn' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the Flow Fuse application owner.

For context, our use case in this instance is that once a user has authenticated with Entra ID, then they won't need to sign in again until their credentials expire. As the error message says, we also use PasswordlessPhoneSignIn

I've done some troubleshooting and the resolution guidance from MS is:

Root cause: The application is requesting the user to sign in using a specific method but the user has already authenticated with a different method prior to access the application. For example, in the SAML request the application has a RequestedAuthnContext with the specific AuthnContextClassRef value urn:oasis:names:tc:SAML:2.0:ac:classes:Password but the user has used multifactor authentication to sign in.
Resolution:
Request to the developer of the application to remove the RequestedAuthnContext from the SAML request.
Another option is to request the application owner to always prompt the user for a fresh authentication. To accomplish this, the application needs to add the value forceAuthn="true" as a parameter in the request to Microsoft Entra ID.

Expected Behavior

Can login via SSO/Entra when other methods are used.

Steps To Reproduce

No response

Environment

  • FlowFuse version:
  • Node.js version:
  • npm version:
  • Platform/OS:
  • Browser:

Have you provided an initial effort estimate for this issue?

I have provided an initial effort estimate
@knolleary knolleary added bug Something isn't working needs-triage Needs looking at to decide what to do size:M - 3 Sizing estimation point customer request requested by customer labels Feb 27, 2024
@knolleary
Copy link
Member Author

We can remove the RequestedAuthnContext from the SAML request: node-saml/passport-saml#226

The question is whether any of our other supported Idps require that header... will need to retest against them all.

@knolleary knolleary moved this to In Progress in 🛠 Development Feb 27, 2024
@knolleary knolleary self-assigned this Feb 27, 2024
@knolleary knolleary mentioned this issue Feb 27, 2024
Merged
@knolleary knolleary moved this from In Progress to Review in 🛠 Development Feb 27, 2024
@knolleary knolleary moved this from Review to Verify in 🛠 Development Feb 28, 2024
@knolleary knolleary linked a pull request Feb 28, 2024 that will close this issue
Set disableRequestedAuthnContext in SAML strategy #3519
Merged
@knolleary knolleary moved this from Verify to Done in 🛠 Development Feb 29, 2024
@joepavitt joepavitt moved this to Done in 🛠 Development Mar 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@knolleary knolleary

Labels
bug Something isn't working customer request requested by customer needs-triage Needs looking at to decide what to do size:M - 3 Sizing estimation point
Projects
🛠 Development
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set disableRequestedAuthnContext in SAML strategy FlowFuse/flowfuse
1 participant
@knolleary