From a0aea43e25035b4f4aa24608674c10c8178f8d63 Mon Sep 17 00:00:00 2001
From: Philipinho <16838612+Philipinho@users.noreply.github.com>
Date: Fri, 1 May 2026 11:47:03 +0100
Subject: [PATCH] feat(saml): allow disabling RequestedAuthnContext via env var

    Adds SAML_DISABLE_REQUESTED_AUTHN_CONTEXT env var, passed through
    to the SAML strategy's disableRequestedAuthnContext option.
    Defaults to existing behavior (element sent). Set to true to omit
    the element when the IdP authenticates the user with a method that
    does not match (e.g. MFA, FIDO, passwordless), which would
    otherwise cause AADSTS75011 with Microsoft Entra ID.
---
 apps/server/src/ee                                         | 2 +-
 .../src/integrations/environment/environment.service.ts    | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/apps/server/src/ee b/apps/server/src/ee
index 4101fc42..fabe2729 160000
--- a/apps/server/src/ee
+++ b/apps/server/src/ee
@@ -1 +1 @@
-Subproject commit 4101fc427b785e2711c0f608c377d641a2e4be78
+Subproject commit fabe2729879e0543518f0c42bfdb3b403afe3c4a
diff --git a/apps/server/src/integrations/environment/environment.service.ts b/apps/server/src/integrations/environment/environment.service.ts
index af35e934..f0b548ab 100644
--- a/apps/server/src/integrations/environment/environment.service.ts
+++ b/apps/server/src/integrations/environment/environment.service.ts
@@ -304,4 +304,11 @@ export class EnvironmentService {
   getClickHouseUrl(): string {
     return this.configService.get<string>('CLICKHOUSE_URL');
   }
+
+  getSamlDisableRequestedAuthnContext(): boolean {
+    const disabled = this.configService
+      .get<string>('SAML_DISABLE_REQUESTED_AUTHN_CONTEXT', 'false')
+      .toLowerCase();
+    return disabled === 'true';
+  }
 }