You receive an Azure AD "AADSTS75011: Authentication method by which the user authenticated with the service doesn't match requested authentication method." Error When Trying To Sign Into Laserfiche Directory Server With Azure AD SAML SSO

May 3, 2023 | KB: 1014435

https://support.laserfiche.com/kb/1014435/you-receive-an-azure-ad-aadsts75011-authentication-method-by-which-the-user-authenticated-with-the-service-doesnt-match-requested-authentication-method-error-when-trying-to-sign-into-laserfiche-directory-server-with-azure-ad-saml-sso

Directory Server

You receive the following error from Azure Active Directory (Azure AD) when attempting to sign into a Laserfiche application with Laserfiche Directory Server when Azure AD is configured as a SAML Identity Provider:

AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Note: The "Authentication method" and "requested authentication method" values may be different than 'X509, MultiFactor' and 'Password, ProtectedTransport' in your error.

The error occurs due to a mismatch between the SAML RequestedAuthnContext in the Laserfiche Directory Server SAML request and the AuthnContext in the Azure AD SAML response. Please see the Microsoft Azure Active Directory documentation article for this error for a detailed technical description of why it can occur:

Error - AADSTS75011 Auth Method Mismatch.

Microsoft's recommended resolution is to remove the 'RequestedAuthnContext' attribute (an optional value) from SAML requests.
However, Laserfiche Directory Server does not currently support removing the attribute from the request.
If Directory Server's "Authentication context" SAML configuration property, which sets the 'RequestedAuthnContext' value in the SAML request, is left blank, it will send the default value of "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport".
Instead, you can set the value to "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" which allows any AuthnContext, just as removing the 'RequestedAuthnContext' attribute would.

The following steps describe how to make this change to your Laserfiche Directory Server Azure AD SAML configuration:

Log into Laserfiche Directory Server Web Admin in a browser (https://yourDirectoryServer.example.com/LFDS)
Navigate to Settings > Identity Providers > select the Azure AD SAML Identity Provider > locate the Authentication context attribute
Update the Authentication context value to urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
Save the SAML Identity Provider configuration

Note: While the AADSTS75011 error code is specific to Azure AD, the underlying issue of a mismatch between the SAML RequestedAuthnContext in the Laserfiche Directory Server SAML request and the AuthnContext in the identity provider's SAML response may occur with other SAML providers. You may see a similar error message in the SAML provider's login UI, in its backend logs, or other locations where its errors can appear. The resolution steps above should work with other SAML providers experiencing the same issue.