Resolving SAML Authentication Method

This article describes how to resolve error messages mentioning "Authentication method 'WindowsIntegrated' " when using Azure Active Directory (AD) as the SAML Authentication Identity Provider (IDP).

Problem:

Tamr has been deployed and logging into Tamr using local accounts (such as the default "admin" account) is working well. The system administrator updates Tamr configurations to set up SAML Authentication to use Azure AD as the IDP. A user who is running a Windows OS which also uses the same Azure AD as the IDP reaches the Tamr homepage from their browser and clicks on the "Log In With My Company Account" button on. Instead of reaching an authentication page, the user sees an error that states "Authentication method 'WindowsIntegrated' by which the user authenticated with the service doesn't match requested authentication method". (Error - AADSTS75011)

Cause:

Simply put: the user's identity is being passed through the browser automatically and the Azure AD in this case is specifically expecting a "Windows Integrated" authentication context. However, the Tamr configuration parameter "TAMR_SAML_AUTH_CONTEXT_TYPE" is by default set to "Password" (specifically, urn:oasis:names:tc:SAML:2.0:ac:classes:Password). As a result, the authentication context being requested by the service provider (Tamr) is not matching that expected by the identity provider (Azure AD).

Solution:

Update Tamr configurations to change the value of TAMR_SAML_AUTH_CONTEXT_TYPE to urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified. Now, restart Tamr.

Note:

1. While "Password", "PasswordProtectedTransport" and "Unspecified" are some commonly used SAML authentication context classes, please check Section 3.4 of this document for a complete list of all valid entries for the TAMR_SAML_AUTH_CONTEXT_TYPE configuration parameter.
2. An alternative to using "Unspecified" context type can be changing the value of TAMR_SAML_AUTH_CONTEXT_TYPE to "urn:federation:authentication:windows".