The SSO works from Chrome and doesn't work from Edge. Can someone dumb down the cause for me? Does just trying from a different browser change the Authentication context? Or is this a different context that has changed? What are the different types of contexts possible?
2 Answers
We had the same issue. We found you could open it from Edge if you used a new Private window. Alternatively, log out of all your SSO completely and then try logging into the application. When prompted, don't choose your existing profile, instead click the sign in with another account one.
Here was the hint from the article you linked to: "However, the user has already authenticated prior to access the application and the AuthnContext (authentication method) used for that previous authentication is different from the one being requested."
2By default the AuthnContext is set to PasswordProtectedTransport. This works if someone is logging in normally for example, but if they are using Windows Hello to login into their PC, it is x509 auth. You need to override it with multiple options or set it to accept any authentication method. If you are using OneLogin Api, this is fairly easy to do in the advanced_settings.json:
// Authentication context. // Set to false and no AuthContext will be sent in the AuthNRequest, // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'), "requestedAuthnContext": true, // Allows the authn comparison parameter to be set, defaults to 'exact' if the setting is not present. "requestedAuthnContextComparison": "exact",