<-- Back

Authentication issue when configuring multiple contexts in Mendix SAML SSO with Microsoft Entra ID

Issue

This knowledge base article describes an issue encountered when configuring SAML Single Sign-On (SSO) in a Mendix application integrated with Microsoft Entra ID (former Azure Active Directory), specifically when using multiple Authentication Context Class References (ACCRs).

The unexpected behavior occurs when both Public Key – X.509 and PasswordProtectedTransport authentication contexts are configured with an exact comparison setting, resulting in failed SSO for users authenticating via Windows Hello (Face/PIN), while password-based logins succeed.

The described scenario is the following:

1. When AuthenticationContextClassRef = X.509 only
 ・Windows Hello (Face/PIN): Success
 ・Password login: Failure

2. When AuthenticationContextClassRef = X.509 + PasswordProtectedTransport
 ・Windows Hello (Face/PIN): Failure
 ・Password login: Success

Environment

SAML (all versions)

Cause

Microsoft Entra ID evaluates multiple AuthnContextClassRef values with Comparison = exact as a logical AND, not OR. Windows Hello (certificate-based) fails when both X.509 and PasswordProtectedTransport are requested because it cannot satisfy the password requirement and cannot fall back to another method. Password login succeeds because it satisfies the password context, and Entra ID allows the assertion, even though it does not meet the certificate requirement.

When only X.509 is requested, Windows Hello succeeds because it is certificate-based, while password login fails because it cannot satisfy the certificate requirement.

Solution / Workaround

To support both Windows Hello (certificate-based) and password-based authentication within a single Mendix SAML application, the recommended approach is to keep the following:

  • Authentication Context Comparison = Exact (the default)

  • Authentication Context Classes = none (empty)

By not specifying any Authentication Context Class References, the Mendix SAML module does not include a RequestedAuthnContext in the SAML request. This allows Microsoft Entra ID (Azure AD) to determine the most appropriate authentication method based on its own configuration and Conditional Access policies. As a result, users can successfully authenticate using either Windows Hello (Face/PIN) or traditional password-based login, ensuring consistent and expected SSO behavior across multiple authentication methods.

Internal information related

  • 269650
  • IDX-1223
  • C03HEV4LK1C/p1768911392585839

Additional information

  • Mendix documentation: SAML
Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.