[7.12.8] SAML SSO does not work with Azure AD when MFA is activated

[sgl-mnrch]

When I, as a user with activated MFA on the azure side want to login into SuiteCRM, the login is rejected.

Issue

When trying to login via SAML: Azure AD gives the following error
AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the SuiteCRM application owner.

Expected Behavior

I should be logged in w/o the error.

Actual Behavior

I cannot login because of this error:

AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the SuiteCRM application owner.

Possible Fix

Update Settings in https://github.com/salesagility/SuiteCRM/blob/d57e91389d97791fe621d811f03fe05f8f5a7f78/modules/Users/authentication/SAML2Authenticate/lib/onelogin/settings.php

remove the requested AuthN method from the request.
From my POV its unnecessary to require this.
This is also stated by MS in their docs: https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts75011-auth-method-mismatch

Steps to Reproduce

1. Configure SAML Authentication as described
2. try to login via private window

Context

Your Environment

• SuiteCRM Version used: 7.12.8 from Bitnami helm chart
• Browser name and version (e.g. Chrome Version 51.0.2704.63 (64-bit)):

[ibanvaqe]

Hi @sgl-mnrch ,

Could you correct this issue?

[sgl-mnrch]

No, I am nor a PHP expert neither a SAML expert. Sorry.