SAML AuthnContext for Azure AD passwordless signin

[gon007]

Hello,
I configurated my OpenVPN Access Server 2.11.3 using Azure AD SAML to signin, but one user cannot login because he are using Passwordless (https://learn.microsoft.com/en-us/azure ... less-phone) to authenticate with Azure AD.

AuthnContext configurated: "Password PasswordProtectedTransport TLSClient X509 Kerberos"

Login error: "Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the 'VPN Authentication' application owner."

When I disable "Send AuthnContext in AuthNRequest to indicate authentication methods", user can login, but we need reauthen each signin.

[openvpn_inc]

Hello gon007,

Can you make sure that "Send ForceAuthn in AuthNRequest to request user interaction" is turned off? That's the flag that politely asks the SAML IdP to always reauthenticate for every authentication session. If it's already off, you should contact Microsoft support to ask what setting is needed to make this work without reauthenticating every time.

Kind regards,
Johan

[jjensen]

Did this get resolved? We are seeing similar issues and getting the exact same x509 error. It seems completely random what users are affected by this though and also it happens on both Windows, MacOS and Linux. Please advice on what to do as this is causing major disruption in our users work flow