SAML provider returned Responder error: NoAuthnContext

Question

SAML provider returned Responder error: NoAuthnContext

garycjohnson opened this issue 7 years ago · 4 comments

Please close this issue - I'm only raising it as a record of an issue I've been fighting with for the last few days with integrating to a client's ADFS server in the hope it might help someone else in future.

We've developed a multi-tenant app that uses passport-saml to support SAML integration into various client's ADFS servers for identity. This was working fine for many clients and then we had a strange issue.

For one client they could authenticate absolutely fine when logging in from outside their corporate network (e.g. through smartphone browser) but when logging in on their corporate network we got this error from passport-saml:
SAML provider returned Responder error: NoAuthnContext

Same users - same ADFS server - different behaviour if outside or inside their corporate network.

After much struggling it was discovered that passport-saml by default includes a RequestedAuthnContext of "PasswordProtectedTransport" (PPT). The clients AD FS was setup such that requests coming from within their corporate network did not support PPT and insisted that the Windows Federation Authentication protocol be used for the authentication context.

passport-saml was requesting that only the PPT authentication context be used and this was causing our error NoAuthnContext.

Fortunately, passport-saml has an easy fix for this ... you need to set the option:
disableRequestedAuthnContext: true
when setting up your SAML passport strategy. By doing this the SAML request will not request any particular authentication context and allow ADFS to make its own decision.

Problem solved.

Answer 1 · 2017-10-30T13:16:49.000Z

Thank you, @garycjohnson ! You saved me probably hours of work looking up ways to fix this :)

Answer 2 · 2022-09-26T09:27:43.000Z

So what's the preferred solution currently?

disableRequestedAuthnContext: true — If truthy, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
racComparison: 'minimum' — Requested Authentication Context comparison type. Possible values are: 'exact', 'minimum', 'maximum', 'better'. Default is 'exact'.
- List of possible values:
  - exact : Assertion context must exactly match a context in the list
  - minimum: Assertion context must be at least as strong as a context in the list
  - maximum: Assertion context must be no stronger than a context in the list
  - better: Assertion context must be stronger than all contexts in the list
- That didn't work though:
  - Message: AADSTS900235: SAML authentication request's RequestedAuthenticationContext Comparison value must be 'exact'. Received value: 'Minimum'.
authnContext — Name identifier format to request auth context (default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport); array of values is also supported

authnContext: [
  'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
  'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'
]

Something else?

Answer 3 · 2022-10-14T13:47:41.000Z

Message: AADSTS900235: SAML authentication request's RequestedAuthenticationContext Comparison value must be 'exact'. Received value: 'Minimum'.

For reference:

From https://knowledge.informatica.com/s/article/ERROR-AADSTS900235-SAML-authentication-request-s-RequestedAuthenticationContext-Comparison-value-must-be-exact-Received-value-Minimum-while-login-through-SAML-authentication-after-upgrade-to-10-5?language=en_US

ERROR: "AADSTS900235: SAML authentication request's RequestedAuthenticationContext Comparison value must be 'exact'. Received value: 'Minimum'." while login through SAML authentication after upgrade to 10.5.

May 22, 2021•Knowledge 000165371
Description
We could see the below error while login to Informatica using SAML authentication after upgrade:

AADSTS900235: SAML authentication request's RequestedAuthenticationContext Comparison value must be 'exact'

LDAP Type: Microsoft Active Directory
IDP is Azure Active Directory

Environment variable ACJVMCommandLineOptions=-DINFA_SAML_REQ_AUTH_CXT_COMP=Exact was also set.
Solution
To resolve this issue, do the following:

Enable Authorization Context Comparison value was set to MINIMUM in the admin console under Under SAML Configuration.

In Admin Console, under SAML Configuration, Change the Enable Authorization Context Comparison = EXACT, instead of MINIMUM
Restart the domainERROR: "AADSTS900235: SAML authentication request's RequestedAuthenticationContext Comparison value must be 'exact'. Received value: 'Minimum'." while login through SAML authentication after upgrade to 10.5.

May 22, 2021•Knowledge 000165371
Description
We could see the below error while login to Informatica using SAML authentication after upgrade:

AADSTS900235: SAML authentication request's RequestedAuthenticationContext Comparison value must be 'exact'

LDAP Type: Microsoft Active Directory
IDP is Azure Active Directory

Environment variable ACJVMCommandLineOptions=-DINFA_SAML_REQ_AUTH_CXT_COMP=Exact was also set.
Solution
To resolve this issue, do the following:

Enable Authorization Context Comparison value was set to MINIMUM in the admin console under Under SAML Configuration.

In Admin Console, under SAML Configuration, Change the Enable Authorization Context Comparison = EXACT, instead of MINIMUM
Restart the domain

Answer 4 · 2022-10-14T13:48:50.000Z

authnContext — Name identifier format to request auth context (default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport); array of values is also supported

Being explicit about what you want is always the better option. I would personally favor this instead of turning the feature off or generally allowing minimum.