KB-XXXX "SAML authentication request's RequestedAuthenticationContext's Comparison value must be 'Exact'" error thrown when using Microsoft Azure AD as a SAML Identity Provider

Symptoms

When setting up a new SAML configuration using Microsoft Azure AD as the SAML Identity Provider, the following error is thrown when authenticating:

AADSTS90023: SAML authentication request's RequestedAuthenticationContext's Comparison value must be "Exact"

Cause

Appian uses a RequestedAuthnContext comparison type of minimum, which is not supported by Azure AD as of August 2018.

Action

In Appian's SAML settings located in the Appian Administration Console, set the value for "Authentication Method" to None, and retest the authentication.

This has the impact of having AzureAD use urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the AuthnContextClassRef value, as this is the only one supported by Azure AD.

Affected Versions

This article applies to Appian version 7.11 and later.

Last Reviewed: August 2018.