Version Affected: [22.12 and later]
Description:
When Microsoft External Authentication Method is configured with SecureAuth IDP, Entra ID returns below error to users who use PUSH or Symbol2Accept methods for MFA.
AADSTS5001256: Failed to complete authentication with external provider due to invalid id_token. Failure details: missing required 'acr' claim.
Cause:
Debug logs:
Message="[TokenService].[AttachAmrAcr] Current registration Method is.PUSHACCEPT"
or
Message="[TokenService].[AttachAmrAcr] Current registration Method is.SYMBOL2ACCEPT"
Message="[TokenService].[AttachAmrAcr] Registration method: pushaccept doesn't map to a supported amr value password, sms, call, email, help_desk, push, push_accept, push_accept_symbol, push_accept_biometric, oath, yubikey, sms_link, email_link,
Since PUSHACCEPT and SYMBOL2ACCEPT doesn't match with the supported AMR values - push_accept and push_accept_symbol, these methods don't get populated in the AMR claim.
Resolution:
The issue is fixed in 24.04 RU3 by adding swk as supported method and mapping both PUSHACCEPT and SYMBOL2ACCEPT to swk (software key) as shown in the token below:
Sample token when PUSHACCEPT or SYMBOL2ACCEPT method is used: Id_token
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.