How to add authenmethodsreferences claim in Ws-Fed/SAML

Follow
    Applies to:
Deployment model:

Version Affected:  All

Description:  

Starting on October 15, 2024, Microsoft will require all administrators to use MFA when signing in to key management portals, including the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. 

As of today (September 3, 2024) authenmethodsreferences (AMR) claim is not supported by SAIDP in WS-Fed and SAML realms. It is available only in OIDC realms.

Since M365 integration is done via WS-Fed, it may lead to double MFA (If SAIDP is configured to prompt for MFA).
 

Cause:  
By design.

Resolution:  
Until support for this claim is added, below workaround can be used:

  1. Configure SAIDP to always require MFA.
  2. Configure authenmethodsreferences claim on the Post Authentication tab:
  3. Under Data tab, set Global Aux ID 2 to http://schemas.microsoft.com/claims/multipleauthn
  4. Below is how the resultant claim in SAML token would look. By looking at this claim, Azure will know that user has already performed MFA and won't prompt the user to perform MFA again.
<saml:Attribute AttributeName="authnmethodsreferences"
AttributeNamespace="http://schemas.microsoft.com/claims">
<saml:AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</saml:AttributeValue>
</saml:Attribute>

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.