Azure AD SAML SSO and AAD joined devices (docs outdated)
We've recently set up SAML SSO authentication to Azure AD on our PMP instances. All configuration was done according to the ManageEngine guide Configuring SAML Single Sign-On (SSO) for Azure AD Users (manageengine.com)
However some users reported the error AADSTS75011 Error on Edge (Azure AD Joined machines) - Microsoft Community Hub when logging in.
Upon investigation, all of these users were on AAD joined devices and used PIN or FaceID authentication to log on their machines.
To work around the problem, one could either :
- Open PMP in a private tab, forcing password and MFA use every time
- Lock the AAD joined device and unlock using a password, then go to PMP
On the server, a permanent fix is possible by adding the undocumented value
- saml.AuthnContextRequired=false
to system_properties.conf.
This disables the sending of the (optional) RequestedAuthnContext element as per the Microsoft resolution here: Error - AADSTS75011 Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef. - Active Directory | Microsoft Learn.
I couldn't find this in the documentation for adding AAD SAML SSO, so here is the solution with the suggestion of adding this to the docs as more and more organizations will switch to AAD joined devices.
This disables the sending of the (optional) RequestedAuthnContext element as per the Microsoft resolution here: Error - AADSTS75011 Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef. - Active Directory | Microsoft Learn.
I couldn't find this in the documentation for adding AAD SAML SSO, so here is the solution with the suggestion of adding this to the docs as more and more organizations will switch to AAD joined devices.