KB-1686 "SAML authentication request's RequestedAuthenticationContext's Comparison value must be 'Exact'" error thrown when using Microsoft Azure AD as a SAML Identity Provider

Symptoms

When setting up a new SAML configuration using Microsoft Azure AD as the SAML Identity Provider, the following error is thrown when authenticating:

AADSTS90023: SAML authentication request's RequestedAuthenticationContext's Comparison value must be "Exact"

Cause

Appian uses a RequestedAuthnContext comparison type of minimum, while Azure AD requires Service Providers to use exact, which is not supported by Appian.

Action

In Appian's SAML settings located in the Appian Administration Console, set the value for Authentication Method to None and retest the authentication.

This prompts AzureAD to use urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the AuthnContextClassRef value, as this is the only one supported by Azure AD as of August 2018.

Affected Versions

This article applies to Appian version 7.11 and later.

Last Reviewed: August 2018

Related
Recommended