EECOLOR
commented
2 months ago Closed EECOLOR closed 1 month ago
EECOLOR
commented
2 months ago 
plsrd
commented
1 month ago Thanks for reporting! We've implemented a fix that should allow you to use Windows Hello properly.
EECOLOR
commented
1 month ago @plsrd The service still redirects with the same SAMLRequest query string:
<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_..." Version="2.0" IssueInstant="2024-10-04T14:20:06.230Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://login.microsoftonline.com/.../saml2" AssertionConsumerServiceURL="https://api.sanity.io/v2021-10-01/auth/saml/callback/...">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sso.sanity.io/saml/...</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true"/>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>From the Microsoft link:
Cause The
RequestedAuthnContextis in the SAML request. This means the app is expecting theAuthnContextspecified by theAuthnContextClassRef. However, the user has already authenticated prior to access the application and theAuthnContext(authentication method) used for that previous authentication is different from the one being requested.... The
AuthnContextClassRefwill beurn:federation:authentication:windows. Microsoft Entra ID won't perform a fresh authentication request, it will use the authentication context that was passed-through it by the IdP (ADFS or any other federation service in this case). Therefore, there will be a mismatch if the app requests other than urn:federation:authentication:windows. Another scenario is when MultiFactor was used:X509, MultiFactor.Resolution
RequestedAuthnContextis an optional value. If possible, ask the application if the value could be removed.Another option is to make sure that the
RequestedAuthnContextvalue will be honored. This is done by requesting a fresh authentication. By doing this, when the SAML request is processed, a fresh authentication is done andAuthnContextis honored. In order to request a Fresh Authentication, the SAML request must contain the value,forceAuthn="true".
EECOLOR
commented
1 month ago EECOLOR
commented
1 month ago In Slack Darius notified my of a change, I can confirm that the payload has changed. Now waiting for the end user to test. Will report the findings here.
EECOLOR
commented
1 month ago The issue has been resolved! Thank you for the effort!
The SAML SSO connection triggers the following error on Microsoft machines:
This affects a lot of our customers that use Windows Hello to authenticate.
Please adjust the SAML authentication request to include those methods. The endpoint sends the following SAML request:
The Sanity endpoint has this payload in the redirect at https://api.sanity.io/v2021-10-01/auth/saml/login/xyz