Microsoft Clients Specify Unsupported Authentication Context

Cantor, Scott cantor.2 at
Wed Nov 12 15:34:08 EST 2014

On 11/12/14, 8:20 PM, "Mike Wiseman" <mike.wiseman at> wrote:
>We've noticed in the last week or so that SAML requests from our on-prem 
>ADFS to our Shibboleth idp handling Office 365 are including a 
>RequestedAuthnContext and AuthnContextClassRef of:

That basically says "don't accept strong authentication". Somebody should 
ask them to remove that.

>This resulted in the SAML request being accepted, and the rich client 
>environment presenting the end user with our webSSO login page (!).

That sounds like what they were promising to do.

> But, on processing of the credentials, the idp sent another AuthnFailed 
>response saying that the login handler used one of the existing 
>authentication methods instead of the one requested. In doing some 
>googling, I saw a similar question in which the answer was that 
>LoginHandlers are fixed to handle specific authentication methods only 
>and that a new LoginHandler must be built to handle new methods even if 
>the method identifier is meant to invoke an existing authentication 

Yes, there really isn't a way to support multiple methods out of one 
handler. You'd need more than one. If you can configure two copies of the 
UsernamePassword handler at separate locations, that might work, I don't 
recall. I wrote my own to deal with issues like this. There's also the MCB 
work until V3 is out soon.

-- Scott

More information about the users mailing list