SAML Authentication - 'X509, MultiFactor' error

Hello,

For our own company we are using SuiteCRM in combination with Microsoft Azure. So we are using the SAML Authentication to login in SuiteCRM with our Azure AD.

For most of the users this is working perfectly, but some of them get issues while logging in. Most of time the user can login, but sometimes this error appears.

AADSTS75011: Authentication method X509, MultiFactor by which the user
authenticated with the service doesn’t match requested authentication method
"Password, Protected Transport’.

The certificate is correct and most of the users are not getting this error. So I don’t have any idea how this is possible. Can it be possible that the user is logged in with fingerprint and SuiteCRM can’t handle that? and is there some workaround to prevent this error messsage?

I hope anyone can help us. We are using SuiteCRM version 7.12.8 by the way.

Thank you!

Try logging in from a browser that’s not already logged into your Microsoft account, e.g. Firefox, or an Edge Incognito tab, or a Firefox Private window. Does that work better?

Maybe a solution would be to set the login context the Unspecified as shown here:

"if the application has an option to select the authentication method, change it to "
urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified
“To Allow Azure to select the authentication method
Right now is attempting to use WIA but being forced to use Username and Password”

WIA = Windows Integrated Authentication

Was anybody able to resolve this issue. We are facing the same issue.
We are using Edge with a preset Work Profile set by the Admin. If I try to login using this browser I’m getting the same error. If I use an Incognito Session or a different browser then it is working correctly.

I also came across this issue. Managed to fix it by editing the file:
SuiteCRM\vendor\onelogin\php-saml\src\Saml2\AuthnRequest.php

Change line:

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

To:

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified</saml:AuthnContextClassRef>