kasmtech
[Bug] - Entra ID - SAML SSO
Existing Resources
- [X] Please search the existing issues for related problems
- [X] Consult the product documentation : Docs
- [X] Consult the FAQ : FAQ
- [X] Consult the Troubleshooting Guide : Guide
- [X] Reviewed existing training videos: Youtube
Describe the bug Logging in with SAML SSO based on Entra ID I receive the error "Authentication method 'X509, MultiFactor, PasswordlessPhoneSignIn' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the KASM application owner."
A search on the internet states this: RequestedAuthnContext is an optional value sent from SAML app to Azure AD. So please ask the application developer/vendor if it could be removed from SAML Request. Or if they can add ‘Unspecified’ method to RequestedAuthnContext
To Reproduce Steps to reproduce the behavior:
- Go to 'my kasm instance
- Click on 'login with Entra ID
- See error
Expected behavior An SSO experience
Workspaces Version Version 1.15
Workspaces Installation Method Single Server
Client Browser (please complete the following information):
- OS: MacOS
- Browser FireFox
- Version 123.0.1
Can confirmed I had same issue yesterday. Entra ID account that defaults to passwordless (passkey) auth and Mac is Intune enrolled with the enterprise SSO extension. Likely one or both is interfering on my end, as i'm able to sign in on non-enrolled devices using password auth.
This may be related to : https://kasmweb.com/docs/latest/guide/saml/requestedAuthnContext.html
I believe in 1.16 Send Requested Authn Context is now an option you can define in the SAML config
