SAML SSO Fails for certain types of Azure AD USers

[TheMacStack]

Hello

We have Sentry deployed in Docker and SSO configured using the Generic SAML2 plugin and an Enterprise Application in Azure AD.

It works perfectly for Local AAD Users but for B2B accounts in Azure AD it fails.

After discussing with MS they are claiming that the value classes:PasswordProtectedTransport

in the SAML Request is not supported on their side and causes inconsistent behavior and we should have it changed to classes:Password unless there is some specific use case for classes:PasswordProtectedTransport.

extract from SAML request

    <samlp:RequestedAuthnContext Comparison="exact">

        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

    </samlp:RequestedAuthnContext>

I understand you may be hesitant to make such a change due to how it may effect the many other users but can you maybe provide some guidance on how we can make that change if we were to fork and maintain a fork of this project?

I did have a dig through the source code but I am not very familiar with SAML so was not able to find anything that seemed relevant.

thanks