search

snipe / snipe-it

A free open source IT asset/license management system
https://snipeitapp.com
GNU Affero General Public License v3.0
11.2k stars 3.2k forks source link

[Feature Request]: Support passwordless authentication #14965

Open designatedsuccessor opened 5 months ago

designatedsuccessor commented 5 months ago

Is your feature request related to a problem? Please describe.

When logging into Snipe-IT using an SSO Entra account, the following error appears:

AADSTS75011: Authentication method 'MultiFactor, Fido' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.

This usually related to Authn contexts. Ideally, this just needs to be disabled, as it doesn't add any security and prevents better authentication methods like passwordless.

Describe the solution you'd like

Allow for passwordless authentication.

Describe alternatives you've considered

No response

Additional context

No response

knd775 commented 4 months ago

Try this https://snipe-it.readme.io/docs/saml#additional-azure-ad-troubleshooting

Snipe-IT Documentation
SAML
Configuration guidelines for SAML Single-Sign On (SSO) support
designatedsuccessor commented 4 months ago

Try this https://snipe-it.readme.io/docs/saml#additional-azure-ad-troubleshooting

Snipe-IT DocumentationSAMLConfiguration guidelines for SAML Single-Sign On (SSO) support

Sorry, I should have been more clear. I know how to workaround it (using custom SAML settings), but what I'm really thinking is that security.requestedAuthnContext=false should just be the default, especially for new installs. In modern IdP/SP implementations, this being set to "true" doesn't really have a place, anymore. In other words, I'd make it "opt-out" instead of "opt-in." Most SPs don't even allow this to be set to "true," anymore.