Hello
I recently had to change the authentication method on a centreon web setup to activate m365/EntraID saml login.
Thanks to the fix to the UI to implement the “strict” method, it works without editing the PHP files like before, however there are some issues depending on how you have setup your m365 account
Case 1 : no MFA, simple login/password (that’s bad) <= saml with Entra works
Case 2 : you activated your MFA, and do not use windows hello, so you still use you login/password in your browser <== saml with Entra works
Case 3 : you went full mfa, no password, windows hello/fido, identify token, so you are never typing a password to login into microsoft entra <== saml with Entra does not work
when login in an already authenticated browser
AADSTS75011: Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the application owner.
when login into an unauthenticated browser (in private, or a new browser
AADSTS75011: Authentication method 'MultiFactor, Fido' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the application owner.
so what to do when you have error message from microsft with incompatible authentication method.
according to Microsoft it all comes from an optional parameter called “requestedAuthnContext” which will set the comparison method for the way the user authenticated.
this is problematic as there are multiple method to authenticate with all these sso/mfa/token method
Microsoft simply says to not provide that parameter, as it is optional and not correctly working with all the modern authentication method
The issue is that the centreon implementation of php-saml is always setting that parameter to “true”, there are no way to set it to false from UI
this is setup in the file
/usr/share/centreon/src/Core/Security/Authentication/Infrastructure/Provider/Settings/Formatter/OneLoginSettingsFormatter.php
on my version (24.10.16)
the object/variable requestedAuthnContext is not defined, so the default is used
I found a simple way to force that setting to false, in the php-saml lib in this file
/usr/share/centreon/vendor/onelogin/php-saml/src/Saml2/Settings.php (line 358, there should be only one assignment of this object in the file)
Alternatively, you can add a line above line 76, in the OneLoginSettingsFormatter.php
'requestedAuthnContext' => false,this set the value to false, ignoring the next line basically and now you can login with MFA and any sso/token/WindowsHello you PC is using to authenticate
I see that the code on the github has already a line with that variable in the develop branch,
it has a “hasRequestedAuthnContext()” function,
I check the release branch, this is not implemented yet