Multi-factor authentication setup fails for risk management workflows

bettythinker · November 23, 2024, 1:51pm

We’re experiencing issues with MFA setup for our risk management users in Vault QMS 23R2 integrated with Azure AD. When users try to complete their MFA enrollment, the process fails at the verification stage. The Azure AD conditional access policy is configured to require MFA for all Vault QMS access, but the SAML MFA claims don’t seem to be passing through correctly.

The error we see in the Vault logs:


SAML assertion validation failed: MFA claim missing
User provisioning blocked - authentication_method claim not found

This is blocking our risk workflows since users can’t authenticate to create or approve risk assessments. We’ve verified that just-in-time user provisioning is enabled in our SAML configuration, but something isn’t working correctly with the MFA claim mapping. Has anyone successfully configured Azure AD MFA with Vault QMS risk management workflows?

lisa_expert · June 14, 2025, 2:47pm

I’ve seen this before. The issue is usually in the Azure AD enterprise application configuration. Check if your SAML claims are properly mapped - specifically the AuthenticationMethodsReferences claim. This needs to be present in the SAML assertion for Vault to recognize that MFA was completed.

vikram_wiz · June 16, 2025, 4:30pm

Thanks for the suggestions. I checked the Azure AD enterprise app and the AuthenticationMethodsReferences claim is configured. However, I’m wondering if the issue is with the just-in-time provisioning timing - maybe the user profile isn’t fully created before the MFA claim validation happens?

data_ace · June 17, 2025, 11:20am

That’s a good point about JIT provisioning timing. In my experience, you need to ensure that the SAML assertion includes all required user attributes before the MFA validation step. The provisioning process should complete first. Check your Azure AD claim mapping to make sure email, username, and authentication method are all in the same assertion. Also, look at the Vault security settings for the order of authentication steps - user provisioning should happen before MFA validation.

anil_pro · June 19, 2025, 8:45am

I’d also recommend checking the Azure AD token lifetime settings. If the SAML token expires too quickly, it might cause issues during the JIT provisioning process. We set ours to 60 minutes to give enough time for all the authentication and provisioning steps to complete properly.

drewdata · June 20, 2025, 1:10pm

Here’s the complete solution based on what I’ve implemented successfully:

1. Azure AD Conditional Access Configuration: Your conditional access policy needs to be properly scoped. Go to Azure AD → Security → Conditional Access and verify that:

The policy targets the Vault QMS enterprise application
MFA is required but set to “Require multi-factor authentication” not “Require compliant device”
The policy allows the MFA registration process itself (exclude first-time users or create a separate policy for registration)

2. SAML MFA Claims Configuration: In Azure AD enterprise application for Vault QMS:


Claim name: http://schemas.microsoft.com/claims/authnmethodsreferences
Source: Transformation
Transformation: Extract authentication method references
Parameter 1: AuthenticationMethodsReferences

This claim MUST be included in the SAML assertion. Also add:


Claim name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Source attribute: user.mail

3. Just-in-Time User Provisioning Order: In Vault QMS Admin → Settings → Security → SAML Configuration:

Enable “Allow Just-in-Time User Provisioning”
Set “User Provisioning Timing” to “Before Authentication” (this is critical)
Map the email claim to the Vault user email field
Ensure “Require MFA Claim” is checked

4. Vault Security Policy for Risk Management: Go to Admin → Business Admin → Security Policies → Risk Management:

Verify that “Require Multi-Factor Authentication” is enabled
Set “MFA Claim Validation” to “Validate on each login”
Add the specific claim name from Azure AD: `http://schemas.microsoft.com/claims/authnmethodsreferences 5. Testing Process:
Clear any existing failed authentication attempts in Vault
Have a test user complete MFA enrollment in Azure AD first (outside of Vault)
Then have them log into Vault QMS - the JIT provisioning should create their profile with the MFA claim already present

Common Pitfall: The “MFA claim missing” error usually means the claim name in Vault doesn’t exactly match what Azure AD sends. Use a SAML decoder tool to inspect the actual assertion and verify the exact claim URI.

After implementing these changes, your risk management workflows should work correctly with Azure AD MFA. The key is ensuring the provisioning happens before MFA validation and that all claim names match exactly between Azure AD and Vault.

juanlead · June 15, 2025, 9:15am

We had a similar problem last month. In our case, the Azure AD conditional access policy was triggering MFA, but the SAML token wasn’t including the authentication method claim. You need to add a custom claim rule in Azure AD that explicitly includes the MFA verification status. Also verify that your Vault QMS security policy is configured to accept the specific claim name that Azure AD sends.

Topic		Replies	Views
MFA and SSO integration failing for incident management user Arena QMS (by PTC) question , saml , authentication , incident-mgmt , security-authen , aqp-2022-1 , okta-sso , mfa-verification , workflow-blocker	7	0	March 16, 2025
Authentication best practices for CAPA workflows: SSO vs. MFA trade-offs Veeva Vault QMS discussion , sso , compliance , mfa , best-practices , capa , audit-trail , vvq-23r2 , security-authentication	3	0	November 25, 2025
Compliance module user lockout after multiple failed MFA attempts Veeva Vault QMS question , compliance , mfa , vvq-23r3 , smtp , user-lockout , email-validation , security-authentication , account-management	3	1	January 20, 2026
MFA and SSO integration breaks risk assessment approval workflow Qualio question , sso , mfa , risk-management , approval-workflow , azure-ad , session-timeout , security-authentication , qual-2022-2	5	0	August 16, 2025
Conditional Access policy blocks ERP users with legacy authentication after MFA enforcement Microsoft Azure question , security , mfa , authentication , iam , az-2019 , azure-ad , conditional-access , legacy-auth	6	0	August 3, 2025
Auto-enrollment workflow fails to assign required training when user role changes Veeva Vault QMS question , workflow-process , workflow-engine , training-mgmt , vvq-24r1 , compliance-tracking , role-assignment , training-compliance , auto-enrollment	4	1	March 16, 2025
Rolled out MFA for document control-passed GxP audit and red Veeva Vault QMS use-case , mfa , user-training , document-control , vvq-24r1 , security-authentication , totp , gxp-compliance , audit-success	7	0	April 12, 2025
Non-conformance module SSO login loop with Azure AD SAML integration MasterControl Quality Excellence question , saml , sso , azure-ad , login-loop , authentication-failure , security-authentication , non-conformance , mc-2022-1	6	0	January 20, 2026
Quality management SSO users unable to approve NCRs after password reset Rockwell FactoryTalk MES question , security-auth , xml , saml , sso , quality-mgmt , azure-ad , session-management , ft-11-0	6	0	July 19, 2025

Multi-factor authentication setup fails for risk management workflows

Related topics