Error encountered during SAML authentication in ADManager Plus

Error encountered during SAML authentication in ADManager Plus

Issue description   

When users attempt to log in to ADManager Plus using SAML authentication, they may encounter the following error message:

AADSTS75011: The authentication method used by the user does not match the authentication method requested by the application.

This issue occurs when there is a mismatch between the authentication method requested by ADManager Plus and the method used by the user to authenticate with the Identity Provider (IdP).

Possible causes  

  1. Mismatched authentication context: The AuthnContextClassRef in the SAML request specifies an authentication method (e.g., Password, Protected Transport), but the user authenticates using a different method (e.g., X509, MultiFactor).

  2. Previous authentication context: If a user has previously authenticated with a different method, the Identity Provider (IdP) might retain and pass through this existing authentication context instead of performing a fresh authentication, leading to a mismatch.

  3. SAML request configuration issue: The RequestedAuthnContext parameter in the SAML request is an optional value. If it is set incorrectly or conflicts with the authentication method used by the user, it can cause this error.

Prerequisites  

  • The Identity Provider (IdP) configuration should be reviewed in both platforms (ADManager Plus and the SSO Service provider) to match the authentication method expected by ADManager Plus.

  • Backup the ADManager Plus database before making changes.

Resolution

Step 1: Modify the authentication context requirement  

  1. Download and extract the ZIP file from the following link: SecureDB.zip.

  2. Inside the extracted folder, locate the following files:

    • connectSecureDB

    • decrypt

    • SecureDB

  1. Copy all three files and place them in the ADManager Plus bin folder:

{ADMPInstalledLocation}\ManageEngine\ADManager Plus\bin

Step 2: Disable the SAML authentication context requirement  

  1. Open the Command Prompt as administrator and navigate to the bin folder of ADManager Plus.

  2. Run the following command to connect to the database:

Info
connectSecureDB.bat

  1. A new command window will open. In that window, execute the following SQL query:

insert into ADSProductParams values(2,'SAML_AUTHN_CONTEXT_REQUIRED', 'false');

  1. Close the Command Prompt.

  2. Restart ADManager Plus to apply the changes.

After restarting, try logging in again using SAML authentication to check if the issue is resolved.

Tips  

  • Ensure that the authentication method requested in the SAML request matches the method allowed in your Identity Provider (IdP) settings.

  • If the issue persists, review the serverout logs in ADManager Plus and your IdP logs for mismatches or errors.

  • If multi-factor authentication (MFA) is enforced, verify that ADManager Plus is configured with necessary ways to support it.

  • If needed, reach out to your IdP administrator to adjust authentication policies to align with the product's requirement.

When and how to reach support  

If the issue persists, contact our support team here

                  New to ADSelfService Plus?

                    • Related Articles

                    • Duplicate SSO login attribute causing SAML error in ADManager Plus

                      Issue description When attempting to log in to ADManager Plus using SAML authentication, users may encounter the following error: Login failed. The SSO login attribute value "user@example.com" is not unique within the domains configured in ADManager ...
                    • Error: Sorry, an error occurred in SAML Login during SSO redirection from ADManager Plus to the IdP

                      Issue description When attempting to log in to ADManager Plus using SAML Single Sign-On (SSO), users may encounter the following error message: "Sorry, an error occurred in SAML Login" ; "Please check the SAML Authentication configuration". This ...
                    • Logon Restriction error in ADManager Plus

                      Issue description When newly created technicians attempt to log in to ADManager Plus, they encounter the following error message: As logon restrictions are enforced, you can login using only the built-in accounts. Please contact your administrator ...
                    • Unable to start ADManager Plus

                      Issue description ADManager Plus may sometimes fail to start, either displaying an error message while initiating as a console or stopping unexpectedly during the startup process. This issue can disrupt administrative tasks and delay critical ...
                    • SSO setup in ADManager Plus fails with errors after authentication

                      Issue description After configuring single sign-on (SSO) for ADManager Plus using an identity provider (IdP), such as Okta, Active Directory Federation Services (AD FS), Entra ID, or any SAML-compliant provider, users may encounter errors like: An ...