SAML AuthnContext for Azure AD passwordless signin

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
gon007
OpenVpn Newbie
Posts: 3
Joined: Fri Dec 03, 2021 9:28 am

SAML AuthnContext for Azure AD passwordless signin

Post by gon007 » Mon Feb 20, 2023 3:29 am

Hello,
I configurated my OpenVPN Access Server 2.11.3 using Azure AD SAML to signin, but one user cannot login because he are using Passwordless (https://learn.microsoft.com/en-us/azure ... less-phone) to authenticate with Azure AD.

AuthnContext configurated: "Password PasswordProtectedTransport TLSClient X509 Kerberos"

Login error: "Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the 'VPN Authentication' application owner."

When I disable "Send AuthnContext in AuthNRequest to indicate authentication methods", user can login, but we need reauthen each signin.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: SAML AuthnContext for Azure AD passwordless signin

Post by openvpn_inc » Mon Feb 20, 2023 9:43 am

Hello gon007,

Can you make sure that "Send ForceAuthn in AuthNRequest to request user interaction" is turned off? That's the flag that politely asks the SAML IdP to always reauthenticate for every authentication session. If it's already off, you should contact Microsoft support to ask what setting is needed to make this work without reauthenticating every time.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

jjensen
OpenVpn Newbie
Posts: 2
Joined: Wed Oct 21, 2020 10:40 am

Re: SAML AuthnContext for Azure AD passwordless signin

Post by jjensen » Thu Mar 30, 2023 10:37 am

Did this get resolved? We are seeing similar issues and getting the exact same x509 error. It seems completely random what users are affected by this though and also it happens on both Windows, MacOS and Linux. Please advice on what to do as this is causing major disruption in our users work flow

Post Reply