Thursday, March 12, 2020

Azure AD SAML Integration issue with PingFederate : AADSTS75011

Readers, I'm back!

I would like to resume blogging my working experiences and best possible solutions on technologies that I come across every day.

Today, I would like to share some limitation that I came across on Azure AD SAML integration.

Scenario:

A cloud application is integrated with PingFederate where Ping is IDP and app is SP.
PingFederate is delegating authentication to Azure AD; so Ping is SP and Azure AD is IDP.

Issue:
As per the scenario, all three systems Application, PingFederate and Azure AD are configured with SAML integration.

When Application is accessed, it is throwing an error when it is landing on Azure AD for authentication.


Cause:
As per Azure error code AADSTS75011, the problem seems to be Authentication Context parameter sent by the Application in SAML Authentication request as shown below.

<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

Refer this article, https://techcommunity.microsoft.com/t5/azure-active-directory/aadsts75011-by-which-the-user-authenticated-with-the-service/m-p/196130#

Azure AD supports only urn:oasis:names:tc:SAML:2.0:ac:classes:Password as authentication context value in SAML requests. Refer this article, https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

Fix:
Ensure that application would send AuthnContextClassRef parameter as urn:oasis:names:tc:SAML:2.0:ac:classes:Password