SSO (SAML) login with Windows Hello not working
I can see from the GitHub issue #7472 that you're experiencing authentication failures when trying to use Windows Hello with Sanity's SAML SSO through Azure AD/Microsoft Entra ID. The error message indicates an authentication method mismatch:
Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated
with the service doesn't match requested authentication method 'Password, ProtectedTransport'.What's Happening
The issue occurs because Sanity's SAML authentication request includes a RequestedAuthnContext element that specifies PasswordProtectedTransport as the required authentication method with Comparison="exact". When users authenticate with Windows Hello (which uses X509 certificates, biometric authentication, or other modern methods), Azure AD rejects the login because the authentication method doesn't match what was requested. This is Microsoft's error code AADSTS75011.
Current Status
According to the GitHub issue thread, a Sanity team member (plsrd) commented on October 3, 2024 stating:
"Thanks for reporting! We've implemented a fix that should allow you to use Windows Hello properly."
However, the issue reporter (EECOLOR) followed up on October 4, 2024 indicating that the SAML request was still including the same RequestedAuthnContext constraint. The issue is marked as CLOSED with state reason COMPLETED, and was locked on January 16, 2025.
What You Should Do
Since the issue status is somewhat unclear (marked as completed but with conflicting information in the thread), here are your next steps:
Test your current setup - Try authenticating with Windows Hello again to see if the issue persists. Sometimes fixes take time to propagate or may require cache clearing.
Clear browser cache/cookies - Stale SAML authentication data might be cached in your browser.
Contact Sanity Support directly - Since this is an Enterprise-level feature (SAML SSO is available on Business and Enterprise plans), reach out to Sanity support at support@sanity.io or through your organization's support channel. Reference GitHub issue #7472 in your ticket.
Verify Azure AD configuration - According to Microsoft's documentation on AADSTS75011, you can also check if there are any conflicting authentication policies in your Azure AD Enterprise Application configuration.
Technical Background
Microsoft's recommended solutions for this error are:
- Remove the
RequestedAuthnContextelement entirely (it's optional in SAML) - Change the
Comparisonattribute from "exact" to a less restrictive value - Add
forceAuthn="true"to request fresh authentication that honors the context
The fix would need to be implemented on Sanity's authentication service side, which is why contacting support is your best path forward.
Show original thread16 replies
Was this answer helpful?
Sanity – Build the way you think, not the way your CMS thinks
Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.
