How to Edit SAML Configuration XML in IdentityIQ

poojaomanakuttannbfc · November 1, 2024, 6:48pm

Which IIQ version are you inquiring about?

8.3

Please share any images or screenshots, if relevant.

[Please insert images here, otherwise delete this section]

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

Share all details about your problem, including any error messages you may have received.

I’m trying to enable SSO for IdentityIQ. IDP is Azure SSO. I have configured everything as per the SSO SAML documentation but encountering the following error after authentication with Azure SSO.

AADSTS75011: Authentication method ‘MultiFactor, PasswordlessPhoneSignIn’ by which the user authenticated with the service doesn’t match requested authentication method ‘Password, ProtectedTransport’. Contact the Sailpoint SSO application owner.

It looks like the SAML Request from IIQ is expecting urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport and Azure is giving back aanother authentication method. I want to edit the SAML Configuration to add forceAuthn=“true” to the SAML config attribute. But the system is not allowing me to save it after I edit it. Please help.

Below is the SAML request generated by IIQ:
<saml2p:AuthnRequest xmlns:saml2p=“urn:oasis:names:tc:SAML:2.0:protocol”
AssertionConsumerServiceURL=“https://iiq-domain.com/identityiq/home.jsf”
Destination=“https://login.microsoftonline.com/sfdsdfg7687/saml2”
ForceAuthn=“false”
ID=“_65445643565676346435654”
IsPassive=“false”
IssueInstant=“2024-11-01T17:47:49.790Z”
ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
Version=“2.0”
>
<saml2:Issuer xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>https://https://iiq-domain.com/identityiq/home.jsf</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate=“true”
Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”
/>
<saml2p:RequestedAuthnContext Comparison=“exact”>
** <saml2:AuthnContextClassRef xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>**
** </saml2p:RequestedAuthnContext>**
</saml2p:AuthnRequest>

poojaomanakuttannbfc · November 1, 2024, 11:53pm

It’s resolved. I just had to add authnContextClassRef=“urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified” to the SAML config XML and I was able to save it.

Topic		Replies	Views
Alter SAML Request Initiated By Sailpoint IIQ Discussion and Questions	4	2037	July 19, 2023
Unable to correlate SAML Assertion to Identity via SAMLCorrelationRule - Azure SSO with IdentityIQ IIQ Discussion and Questions identityiq , authentication	6	880	June 28, 2023
Unable to correlate SAML Assertion to Identity via SAMLCorrelationRule IIQ Discussion and Questions rules , identityiq	2	266	April 21, 2024
Single Sign On (SSO) by rule in SailPoint IdentityIQ IIQ Community Knowledge Base apis , rules , identityiq	0	205	September 9, 2024
Okta + IDN SSO Integration ISC Discussion and Questions	5	2238	July 19, 2023

How to Edit SAML Configuration XML in IdentityIQ

Which IIQ version are you inquiring about?

Please share any images or screenshots, if relevant.

Please share any other relevant files that may be required (for example, logs).

Share all details about your problem, including any error messages you may have received.

Related topics