RSA Id Plus
RSA Cloud Authentication Service
This issue occurs when the user's OIDC authentication is successful according to the User Event Monitor , and the user was not prompted for additional (multifactor) authentication. However the application reports an authentication failure due to a missing amr or Authentication Methods References claim in the id_token of the OIDC Response sent by CAS.
If the application is Microsoft Entra ID, it reports the following error:
AADSTS5001256: Failed to complete authentication with external provider due to invalid id_token. Failure details: missing required 'amr' claim.
An OIDC response is sent from the RSA Cloud Authentication Service (CAS) to the application when an OIDC authentication is completed by CAS. Authentication Methods References or "amr" claim, is an optional field in the id_token of an OIDC response. When present, amr is used to give the application a list of the method(s) that authenticated the user, such as OTP, SMS, etc. amr can be used by applications to determine the strength of the authentication.
CAS only puts an amr claim in an id_token if the user was challenged with additional authentication.
Although an amr claim is optional according to the OIDC standard, some applications such as Microsoft Entra ID require it.
When the application requires the id_token in the OIDC response to include an amr claim, the Access Policy rules must be configured to ensure that every user is challenged with additional authentication.
To modify the OIDC application's Access Policy to require additional authentication for all users:
- In the CAC, if it is a Relying Party application go to Authentication Clients > Relying Parties. If it is a My Page SSO Portal application, go to Applications > My Applications.
- Edit the application.
- On the Authentication page of the application, note the name of the Access Policy configured there.
- Go to Access > Policies
- Edit the policy that was noted in step 2 above.
- Go to the Rule Sets page. For every rule listed there:
- If the rule has Access Details set to Conditional, ensure every condition in the Rule has either Authenticate or Deny Access set. "Allow Access" should not be used.
- If the rule has Access Details set to Allowed, then set Additional Authentication to Requires.
- Save the Access Policy changes, then Publish.
See also section "Add an Access Policy" on page Add, Clone, or Delete an Access Policy.
Related Articles
"This token pack ID is invalid" error when registering new token pack credentials on Download Central 44Number of Views Salesforce AFX Connector provisioning fails with 'Error occured while generating access token from refresh token' and INV… 292Number of Views Unsuccessful connection to RSA SecurID Access: Authentication token was either missing or invalid 377Number of Views How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device 785Number of Views Unable to Resolve User by Login ID and/or Alias or Authenticator Not Assigned to User When Attempting to Authenticate via … 2.14KNumber of Views
Trending Articles
RSA Authentication Manager 8.9 Setup and Configuration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide How to 'Trust' the RSA Authentication Manager Security Console Self-Signed Root CA certificate and prevent Cert warnings. RSA Authentication Manager Upgrade Process