Get help on Discord

SSO (SAML) login with Windows Hello not working

16 replies
Last updated: Oct 17, 2024
SSO (SAML) login with Windows Hello does not work, I created a ticket here: https://github.com/sanity-io/sanity/issues/7472
AI Update

I can see from the GitHub issue #7472 that you're experiencing authentication failures when trying to use Windows Hello with Sanity's SAML SSO through Azure AD/Microsoft Entra ID. The error message indicates an authentication method mismatch:

Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated 
with the service doesn't match requested authentication method 'Password, ProtectedTransport'.

What's Happening

The issue occurs because Sanity's SAML authentication request includes a RequestedAuthnContext element that specifies PasswordProtectedTransport as the required authentication method with Comparison="exact". When users authenticate with Windows Hello (which uses X509 certificates, biometric authentication, or other modern methods), Azure AD rejects the login because the authentication method doesn't match what was requested. This is Microsoft's error code AADSTS75011.

Current Status

According to the GitHub issue thread, a Sanity team member (plsrd) commented on October 3, 2024 stating:

"Thanks for reporting! We've implemented a fix that should allow you to use Windows Hello properly."

However, the issue reporter (EECOLOR) followed up on October 4, 2024 indicating that the SAML request was still including the same RequestedAuthnContext constraint. The issue is marked as CLOSED with state reason COMPLETED, and was locked on January 16, 2025.

What You Should Do

Since the issue status is somewhat unclear (marked as completed but with conflicting information in the thread), here are your next steps:

  1. Test your current setup - Try authenticating with Windows Hello again to see if the issue persists. Sometimes fixes take time to propagate or may require cache clearing.

  2. Clear browser cache/cookies - Stale SAML authentication data might be cached in your browser.

  3. Contact Sanity Support directly - Since this is an Enterprise-level feature (SAML SSO is available on Business and Enterprise plans), reach out to Sanity support at support@sanity.io or through your organization's support channel. Reference GitHub issue #7472 in your ticket.

  4. Verify Azure AD configuration - According to Microsoft's documentation on AADSTS75011, you can also check if there are any conflicting authentication policies in your Azure AD Enterprise Application configuration.

Technical Background

Microsoft's recommended solutions for this error are:

  • Remove the RequestedAuthnContext element entirely (it's optional in SAML)
  • Change the Comparison attribute from "exact" to a less restrictive value
  • Add forceAuthn="true" to request fresh authentication that honors the context

The fix would need to be implemented on Sanity's authentication service side, which is why contacting support is your best path forward.

Show original thread
16 replies
Hello đź‘‹
I found
this article that seems to be related to the error you provided. Would you mind letting me know if updating the request resolves your issue or if this is even possible to do on your end?
user J
The Sanity code is creating the request, we have no influence on the request. As I wrote in the ticket, adjusting the request would indeed solve the problem. I will add the link of your document to the ticket.
Can you give the ticket priority on the Sanity developer backlog?
Hello?
This ticket (
https://github.com/sanity-io/sanity/issues/7472 ) has not seen any response the last month. Also no reaction here.
What can I do to help move this forward?
Sorry you haven’t gotten a response on your ticket. When prioritizing issues and feature requests the team has limited time and must take into account customer impact. This is the first time I’ve heard of an issue with the method, so the impact may not be clear to the team. I’ll bring it up internally.
Yes, apologies for the delay and thank you for pinging again. I have been able to locate some documentation on this issue from previous configurations and am in the process of speaking with other engineers on how to properly implement the fix.
user M
That surprises me, maybe the larger (Microsoft based) organizations all use custom authentication that mitigates the problem. Maybe it is just that some of the more enterprise customers have not fully switched to 'passwordless' login.

user J
Thanks!
Hi there, our backend team has pushed an update and this should now be working. Please confirm when you have a moment.
user J
Sounds great! I'll let you know once our client confirms then can log in.
Thank you for the effort
user J
Client reported no change, I checked the SAML payload and it remains unchanged. I updated the Github ticket.
CC:
user M
Thank you for this update, would you mind providing the projectID?
user J
/
user M
Any news on this?
We just got an update from our backend team a few hours ago, would you mind testing again?
Thanks
user J
! I'll keep you posted.
It works! Thank you for the effort!
That is great news! Happy I could help and thank you for the update!

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?