Hello Team,

There is an issue with SAML SSO logins to the Zabbix web app using passwordless authentication.

The problem is in line 138 of ui/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php. Currently that line reads:

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

This causes errors like the following in the browser whenever users try to log in with SAML SSO and non-password auth:

Message: AADSTS75011: Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.

There is a possible workaround by editing the web app’s PHP code, but users have to go back and re-edit it every time Zabbix is updated, which is a nuisance. Also, this might be beneficial for other users to have this fix implemented officially in Zabbix.

The fix is to change line 138 of ui/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php to:

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>

Please consider this feature in the official release.