Issue description   

When users attempt to log in to ADManager Plus using SAML authentication, they may encounter the following error message:

AADSTS75011: The authentication method used by the user does not match the authentication method requested by the application.

This issue occurs when there is a mismatch between the authentication method requested by ADManager Plus and the method used by the user to authenticate with the Identity Provider (IdP).

Possible causes  

1. Mismatched authentication context: The AuthnContextClassRef in the SAML request specifies an authentication method (e.g., Password, Protected Transport), but the user authenticates using a different method (e.g., X509, MultiFactor).

2. Previous authentication context: If a user has previously authenticated with a different method, the Identity Provider (IdP) might retain and pass through this existing authentication context instead of performing a fresh authentication, leading to a mismatch.

3. SAML request configuration issue: The RequestedAuthnContext parameter in the SAML request is an optional value. If it is set incorrectly or conflicts with the authentication method used by the user, it can cause this error.

Prerequisites  

• The Identity Provider (IdP) configuration should be reviewed in both platforms (ADManager Plus and the SSO Service provider) to match the authentication method expected by ADManager Plus.

• Backup the ADManager Plus database before making changes.

Resolution

Step 1: Modify the authentication context requirement  

1. Download and extract the ZIP file from the following link: SecureDB.zip.

2. Inside the extracted folder, locate the following files:

• connectSecureDB

• decrypt

• SecureDB

3. Copy all three files and place them in the ADManager Plus bin folder:

{ADMPInstalledLocation}\ManageEngine\ADManager Plus\bin

Step 2: Disable the SAML authentication context requirement  

1. Open the Command Prompt as administrator and navigate to the bin folder of ADManager Plus.

2. Run the following command to connect to the database:

connectSecureDB.bat

3. A new command window will open. In that window, execute the following SQL query:

insert into ADSProductParams values(2,'SAML_AUTHN_CONTEXT_REQUIRED', 'false');

4. Close the Command Prompt.

5. Restart ADManager Plus to apply the changes.

After restarting, try logging in again using SAML authentication to check if the issue is resolved.

Tips  

• Ensure that the authentication method requested in the SAML request matches the method allowed in your Identity Provider (IdP) settings.

• If the issue persists, review the serverout logs in ADManager Plus and your IdP logs for mismatches or errors.

• If multi-factor authentication (MFA) is enforced, verify that ADManager Plus is configured with necessary ways to support it.

• If needed, reach out to your IdP administrator to adjust authentication policies to align with the product's requirement.

When and how to reach support