OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

SAML AuthnContext for Azure AD passwordless signin

https://forums.openvpn.net/viewtopic.php?t=35390

Page 1 of 1

SAML AuthnContext for Azure AD passwordless signin

Posted: Mon Feb 20, 2023 3:29 am
by gon007
Hello,
I configurated my OpenVPN Access Server 2.11.3 using Azure AD SAML to signin, but one user cannot login because he are using Passwordless (https://learn.microsoft.com/en-us/azure ... less-phone) to authenticate with Azure AD.

AuthnContext configurated: "Password PasswordProtectedTransport TLSClient X509 Kerberos"

Login error: "Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the 'VPN Authentication' application owner."

When I disable "Send AuthnContext in AuthNRequest to indicate authentication methods", user can login, but we need reauthen each signin.

Re: SAML AuthnContext for Azure AD passwordless signin

Posted: Mon Feb 20, 2023 9:43 am
by openvpn_inc
Hello gon007,

Can you make sure that "Send ForceAuthn in AuthNRequest to request user interaction" is turned off? That's the flag that politely asks the SAML IdP to always reauthenticate for every authentication session. If it's already off, you should contact Microsoft support to ask what setting is needed to make this work without reauthenticating every time.

Kind regards,
Johan

Re: SAML AuthnContext for Azure AD passwordless signin

Posted: Thu Mar 30, 2023 10:37 am
by jjensen
Did this get resolved? We are seeing similar issues and getting the exact same x509 error. It seems completely random what users are affected by this though and also it happens on both Windows, MacOS and Linux. Please advice on what to do as this is causing major disruption in our users work flow
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/