Get help on Discord

SSO (SAML) login with Windows Hello not working

16 replies
Last updated: Dec 1, 2025
SSO (SAML) login with Windows Hello does not work, I created a ticket here: https://github.com/sanity-io/sanity/issues/7472
AI Update

I can see from the GitHub issue #7472 that you're experiencing authentication failures when trying to use Windows Hello with Sanity's SAML SSO through Azure AD/Microsoft Entra ID. The error message indicates an authentication method mismatch:

Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated 
with the service doesn't match requested authentication method 'Password, ProtectedTransport'.

What's Happening

The issue occurs because Sanity's SAML authentication request includes a RequestedAuthnContext element that specifies PasswordProtectedTransport as the required authentication method with Comparison="exact". When users authenticate with Windows Hello (which uses X509 certificates, biometric authentication, or other modern methods), Azure AD rejects the login because the authentication method doesn't match what was requested. This is Microsoft's error code AADSTS75011.

Current Status

According to the GitHub issue thread, a Sanity team member (plsrd) commented on October 3, 2024 stating:

"Thanks for reporting! We've implemented a fix that should allow you to use Windows Hello properly."

However, the issue reporter (EECOLOR) followed up on October 4, 2024 indicating that the SAML request was still including the same RequestedAuthnContext constraint. The issue is marked as CLOSED with state reason COMPLETED, and was locked on January 16, 2025.

What You Should Do

Since the issue status is somewhat unclear (marked as completed but with conflicting information in the thread), here are your next steps:

  1. Test your current setup - Try authenticating with Windows Hello again to see if the issue persists. Sometimes fixes take time to propagate or may require cache clearing.

  2. Clear browser cache/cookies - Stale SAML authentication data might be cached in your browser.

  3. Contact Sanity Support directly - Since this is an Enterprise-level feature (SAML SSO is available on Business and Enterprise plans), reach out to Sanity support at support@sanity.io or through your organization's support channel. Reference GitHub issue #7472 in your ticket.

  4. Verify Azure AD configuration - According to Microsoft's documentation on AADSTS75011, you can also check if there are any conflicting authentication policies in your Azure AD Enterprise Application configuration.

Technical Background

Microsoft's recommended solutions for this error are:

  • Remove the RequestedAuthnContext element entirely (it's optional in SAML)
  • Change the Comparison attribute from "exact" to a less restrictive value
  • Add forceAuthn="true" to request fresh authentication that honors the context

The fix would need to be implemented on Sanity's authentication service side, which is why contacting support is your best path forward.

Show original thread
16 replies

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?