Microsoft Clients Specify Unsupported Authentication Context

Mike Wiseman mike.wiseman at
Thu Nov 13 09:15:36 EST 2014

> On 11/12/14, 8:20 PM, "Mike Wiseman" <mike.wiseman at> wrote:
> >
> >We've noticed in the last week or so that SAML requests from our
> >on-prem ADFS to our Shibboleth idp handling Office 365 are including a
> >RequestedAuthnContext and AuthnContextClassRef of:
> >
> >
> >ass
> >word
> That basically says "don't accept strong authentication". Somebody should ask them to
> remove that.
> >This resulted in the SAML request being accepted, and the rich client
> >environment presenting the end user with our webSSO login page (!).
> That sounds like what they were promising to do.
> > But, on processing of the credentials, the idp sent another
> >AuthnFailed response saying that the login handler used one of the
> >existing authentication methods instead of the one requested. In doing
> >some googling, I saw a similar question in which the answer was that
> >LoginHandlers are fixed to handle specific authentication methods only
> >and that a new LoginHandler must be built to handle new methods even if
> >the method identifier is meant to invoke an existing authentication
> >method.
> Yes, there really isn't a way to support multiple methods out of one handler. You'd need
> more than one. If you can configure two copies of the UsernamePassword handler at
> separate locations, that might work, I don't recall. I wrote my own to deal with issues like
> this. There's also the MCB work until V3 is out soon.
> -- Scott

Thanks Scott, 

Apparently Microsoft removed the authentication context element in the request in the last 24 hrs. The client access completes successfully now. Now to find out what's going on...


More information about the users mailing list