Entra SSO and passwordless login

jschoenstein · April 17, 2026, 9:43pm

CMS 4, SSO config set up and running for a couple of years.

Our company has been moved over to Entra SSO, with the default being ‘passwordless’ authentication on the Authenticator App.

When trying to sign in to our Xibo CMS, users are getting the error:

AADSTS75011: Authentication method ‘MultiFactor, PasswordlessPhoneSignIn’ by which the user authenticated with the service doesn’t match requested authentication method ‘Password, ProtectedTransport’. Contact the Xibo application owner.

The only method around this is to select a tiny box on the authentication screen (In Incognito mode) to use password. The users are then not able to log into Office applications because it thinks that they want to only use their password.

Has anyone seen this before, and is there a way using default PHP-SAML toolkit to allow a different type of authentication other than password?

jschoenstein · April 21, 2026, 8:56pm

I found some information that may help, but have not applied it yet. I’m thinking that if I set the 'requestedAuthnContext’ to False, it won’t specifically look for a password. But it would be nice to lock it down to our specific types of login requests. I’ll have to work with our admin staff to see all what types that they would be.

// Security settings
‘security’

// Authentication context.
// Set to false and no AuthContext will be sent in the AuthNRequest,
// Set true or don’t present this parameter and you will get an AuthContext ‘exact’ ‘urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport’
// Set an array with the possible auth context values: array (‘urn:oasis:names:tc:SAML:2.0:ac:classes:Password’, ‘urn:oasis:names:tc:SAML:2.0:ac:classes:X509’),
‘requestedAuthnContext’ => false,