Authentication type requirement of 'urn:oasis:names:tc:SAML:1.0:am:password' for the relying party XYZ was not met

Hello everyone

We have this .NET application called "appName.contoso.com" running on IIS and using WS-Federation for authentication with our ADFS 2.0 CU2 farm.

Since the application owner wants users to be prompted (FBA) for their username and password (no SSO) they have added the following to their web.config:

      <federatedAuthentication>
        <wsFederation authenticationType="urn:oasis:names:tc:SAML:1.0:am:password"
        passiveRedirectEnabled="true"
        issuer="https://sts.contoso.com/adfs/ls/"
        realm="https://appName.contoso.com/"
                      requireHttps="true" />
        <cookieHandler requireSsl="true" />
      </federatedAuthentication>

This works great, users get prompted (FBA) and can sign in successfully, BUT we keep getting these errors on the ADFS servers:

The Federation Service could not satisfy a token request because the authentication type requirement of 'urn:oasis:names:tc:SAML:1.0:am:password' for the relying party 'https://appName.contoso.com' was not met.

Using Get-ADFSProperties I can see that 'urn:oasis:names:tc:SAML:1.0:am:password' is not in the

AuthenicationContextOrder list so perhaps what's why?

But can/should it be added?

If it DOES work out-of-the-box then why isn't it in the list by default?

Is there another, better way to configure web.config to achieve FBA for this particular web application?

AbsolutePath   : oasis:names:tc:SAML:2.0:ac:classes:Password
AbsoluteUri    : urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Authority      :
Host           :
HostNameType   : Unknown
IsDefaultPort  : True
IsFile         : False
IsLoopback     : False
IsUnc          : False
LocalPath      : oasis:names:tc:SAML:2.0:ac:classes:Password
PathAndQuery   : oasis:names:tc:SAML:2.0:ac:classes:Password
Port           : -1
Query          :
Fragment       :
Scheme         : urn
OriginalString : urn:oasis:names:tc:SAML:2.0:ac:classes:Password
DnsSafeHost    :
IsAbsoluteUri  : True
Segments       : {oasis:names:tc:SAML:2.0:ac:classes:Password}
UserEscaped    : False
UserInfo       :

AbsolutePath   : oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
AbsoluteUri    : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authority      :
Host           :
HostNameType   : Unknown
IsDefaultPort  : True
IsFile         : False
IsLoopback     : False
IsUnc          : False
LocalPath      : oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
PathAndQuery   : oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Port           : -1
Query          :
Fragment       :
Scheme         : urn
OriginalString : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
DnsSafeHost    :
IsAbsoluteUri  : True
Segments       : {oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport}
UserEscaped    : False
UserInfo       :

AbsolutePath   : oasis:names:tc:SAML:2.0:ac:classes:TLSClient
AbsoluteUri    : urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
Authority      :
Host           :
HostNameType   : Unknown
IsDefaultPort  : True
IsFile         : False
IsLoopback     : False
IsUnc          : False
LocalPath      : oasis:names:tc:SAML:2.0:ac:classes:TLSClient
PathAndQuery   : oasis:names:tc:SAML:2.0:ac:classes:TLSClient
Port           : -1
Query          :
Fragment       :
Scheme         : urn
OriginalString : urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
DnsSafeHost    :
IsAbsoluteUri  : True
Segments       : {oasis:names:tc:SAML:2.0:ac:classes:TLSClient}
UserEscaped    : False
UserInfo       :

AbsolutePath   : oasis:names:tc:SAML:2.0:ac:classes:X509
AbsoluteUri    : urn:oasis:names:tc:SAML:2.0:ac:classes:X509
Authority      :
Host           :
HostNameType   : Unknown
IsDefaultPort  : True
IsFile         : False
IsLoopback     : False
IsUnc          : False
LocalPath      : oasis:names:tc:SAML:2.0:ac:classes:X509
PathAndQuery   : oasis:names:tc:SAML:2.0:ac:classes:X509
Port           : -1
Query          :
Fragment       :
Scheme         : urn
OriginalString : urn:oasis:names:tc:SAML:2.0:ac:classes:X509
DnsSafeHost    :
IsAbsoluteUri  : True
Segments       : {oasis:names:tc:SAML:2.0:ac:classes:X509}
UserEscaped    : False
UserInfo       :

AbsolutePath   : federation:authentication:windows
AbsoluteUri    : urn:federation:authentication:windows
Authority      :
Host           :
HostNameType   : Unknown
IsDefaultPort  : True
IsFile         : False
IsLoopback     : False
IsUnc          : False
LocalPath      : federation:authentication:windows
PathAndQuery   : federation:authentication:windows
Port           : -1
Query          :
Fragment       :
Scheme         : urn
OriginalString : urn:federation:authentication:windows
DnsSafeHost    :
IsAbsoluteUri  : True
Segments       : {federation:authentication:windows}
UserEscaped    : False
UserInfo       :

AbsolutePath   : oasis:names:tc:SAML:2.0:ac:classes:Kerberos
AbsoluteUri    : urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
Authority      :
Host           :
HostNameType   : Unknown
IsDefaultPort  : True
IsFile         : False
IsLoopback     : False
IsUnc          : False
LocalPath      : oasis:names:tc:SAML:2.0:ac:classes:Kerberos
PathAndQuery   : oasis:names:tc:SAML:2.0:ac:classes:Kerberos
Port           : -1
Query          :
Fragment       :
Scheme         : urn
OriginalString : urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
DnsSafeHost    :
IsAbsoluteUri  : True
Segments       : {oasis:names:tc:SAML:2.0:ac:classes:Kerberos}
UserEscaped    : False
UserInfo       :

WORK