Share all details about your problem, including any error messages you may have received.
Is there a way to support SAML-based SSO if authentication is done at IDP via FIDO
I have configured my IDP EntraID for FIDO authentication. When I try to login to IIQ through EntraID it fails. I used SAML trace to look at the SAML assertion. It looks like it fails to generate the SAML response.
I am not sure if this is an identityiq limitation or EntraID problem.
The default IIQ uses is urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, but MS is using a a different authentication class (FIDO, in your case).
You can modify your SAMLConfig in XML and set authnContextClassRef="noRequestedAuthnContext". It’s an attribute of the SAMLConfig XML tag. This is a special value which will cause IIQ to pass no requested authn context class, leaving authentication to IdP discretion. That’s specifically what Microsoft suggests in the article I linked above.
Alternatively, if your security folks don’t like that, you can try authnContextComparison="minimum"but I don’t know whether that will suffice for Microsoft purposes. That’s worked with Shibboleth IDP for me. (Other values here are “maximum” and “better”.)