RSA Id Plus
RSA Cloud Authentication Service
This issue occurs when the user's OIDC authentication is successful according to the User Event Monitor , and the user was not prompted for additional (multifactor) authentication. However the application reports an authentication failure due to a missing amr or Authentication Methods References claim in the id_token of the OIDC Response sent by CAS.
If the application is Microsoft Entra ID, it reports the following error:
AADSTS5001256: Failed to complete authentication with external provider due to invalid id_token. Failure details: missing required 'amr' claim.
An OIDC response is sent from the RSA Cloud Authentication Service (CAS) to the application when an OIDC authentication is completed by CAS. Authentication Methods References or "amr" claim, is an optional field in the id_token of an OIDC response. When present, amr is used to give the application a list of the method(s) that authenticated the user, such as OTP, SMS, etc. amr can be used by applications to determine the strength of the authentication.
CAS only puts an amr claim in an id_token if the user was challenged with additional authentication.
Although an amr claim is optional according to the OIDC standard, some applications such as Microsoft Entra ID require it.
When the application requires the id_token in the OIDC response to include an amr claim, the Access Policy rules must be configured to ensure that every user is challenged with additional authentication.
To modify the OIDC application's Access Policy to require additional authentication for all users:
- In the CAC, if it is a Relying Party application go to Authentication Clients > Relying Parties. If it is a My Page SSO Portal application, go to Applications > My Applications.
- Edit the application.
- On the Authentication page of the application, note the name of the Access Policy configured there.
- Go to Access > Policies
- Edit the policy that was noted in step 2 above.
- Go to the Rule Sets page. For every rule listed there:
- If the rule has Access Details set to Conditional, ensure every condition in the Rule has either Authenticate or Deny Access set. "Allow Access" should not be used.
- If the rule has Access Details set to Allowed, then set Additional Authentication to Requires.
- Save the Access Policy changes, then Publish.
See also section "Add an Access Policy" on page Add, Clone, or Delete an Access Policy.
Related Articles
Salesforce AFX Connector provisioning fails with 'Error occured while generating access token from refresh token' and INV… Number of Views Information on the RSA SecurID protected delivery program and how it will impact the token record media decryption process… Number of Views Downloading RSA Authentication Manager license files or RSA Software token seed records Number of Views "This token pack ID is invalid" error when registering new token pack credentials on Download Central Number of Views Limiting users to one token per user ID in RSA Authentication Manager 8.x Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.9 Release Notes (January 2026) Artifacts to gather in RSA Identity Governance & Lifecycle RSA Governance & Lifecycle 8.0.0 Administrators Guide RSA Governance & Lifecycle 8.0.0 Installation Guide
