We are experiencing an issue when we try to Sign in into our app via SSO through AWS Cognito. The SSO is configured via SAML IdP for the given user pool. If the user is logged into the given Azure AD while logging into it's Windows account and then try to sign in into the app the following error message is shown: "Error - AADSTS75011 Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef".
While I was researching the possible solutions I was unable to find a way to change the Cognito SAML request in order to modify AuthnContext and set it to "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" or to remove it at all.
We are using aws/aws-sdk-php in order to initiate authentication via Cognito, but I didn't saw a parameter or something that can be passed in order to manipulate this security setting.
If someone can provide some clarity or guidance how to resolve this issue it would be greatly appreciated.
Thanks in advance !
SAML (Security Assertion Markup Language) is an open standard that uses identity providers (IdPs) and service providers (SPs) to authenticate users. To accomplish the SAML authentication, we need to ensure that SAML IdP and SAML SP have exchanged their public key/certificate with each other, and the accurate configuration for SAML token format which is well recognized by both SAML IdP and SAML SP.
Quote your question "We are experiencing an issue when we try to Sign in into our app via SSO through AWS Cognito. The SSO is configured via SAML IdP for the given user pool. If the user is logged into the given Azure AD while logging into it's Windows account and then try to sign in into the app the following error message is shown: "Error - AADSTS75011 Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef"."
Answer:
Both Azure AD and AWS Cognito are SAML IdPs.
Your app is SAML SP.
You can only use one SAML IdP (either Azure AD or AWS Cognito) to authenticate SAML SP which is your app.
You can NOT use two SAML IdPs (e.g., both Azure AD and AWS Cognito) to authenticate the same SAML SP (which is your app) at the same time.
Resolution:
(1) Sign in to your app (which is SAML SP) via SSO through AWS Cognito.
or
(2) Sign in to your app (which is SAML SP) via SSO through Azure AD.
If you have signed in to your app (which is SAML SP) via SSO through AWS Cognito, then just log out of your app and clear the browser cookie for AWS Cognito. Then you can sign in to your app via SSO through Azure AD.
In addition, you can use the following open-source Shibboleth SAML IdP and SP to gain more knowledge of the entire SAML authentication flow for your app, as demonstrated below.
(1) After a user authenticated with SAML IdP, the user is redirected to the AssertionConsumerService URL of your enterprise application .
(2) How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building a SAML-based Authentication/Authorization Provider using Shibboleth SAML IdP and OpenLDAP and a SAML SP web application (which can be regarded as a simplified enterprise application to allow paid users to access protected web resources).
You can use the above GitHub repository to simulate selected SAML SP enterprise applications (such as Office 365, G Suite, Salesforce, etc.) with multiple customers and their corresponding SAML IdPs.