RSA Id Plus
RSA Cloud Authentication Service
This issue occurs when the user's OIDC authentication is successful according to the User Event Monitor , and the user was not prompted for additional (multifactor) authentication. However the application reports an authentication failure due to a missing amr or Authentication Methods References claim in the id_token of the OIDC Response sent by CAS.
If the application is Microsoft Entra ID, it reports the following error:
AADSTS5001256: Failed to complete authentication with external provider due to invalid id_token. Failure details: missing required 'amr' claim.
An OIDC response is sent from the RSA Cloud Authentication Service (CAS) to the application when an OIDC authentication is completed by CAS. Authentication Methods References or "amr" claim, is an optional field in the id_token of an OIDC response. When present, amr is used to give the application a list of the method(s) that authenticated the user, such as OTP, SMS, etc. amr can be used by applications to determine the strength of the authentication.
CAS only puts an amr claim in an id_token if the user was challenged with additional authentication.
Although an amr claim is optional according to the OIDC standard, some applications such as Microsoft Entra ID require it.
When the application requires the id_token in the OIDC response to include an amr claim, the Access Policy rules must be configured to ensure that every user is challenged with additional authentication.
To modify the OIDC application's Access Policy to require additional authentication for all users:
- In the CAC, if it is a Relying Party application go to Authentication Clients > Relying Parties. If it is a My Page SSO Portal application, go to Applications > My Applications.
- Edit the application.
- On the Authentication page of the application, note the name of the Access Policy configured there.
- Go to Access > Policies
- Edit the policy that was noted in step 2 above.
- Go to the Rule Sets page. For every rule listed there:
- If the rule has Access Details set to Conditional, ensure every condition in the Rule has either Authenticate or Deny Access set. "Allow Access" should not be used.
- If the rule has Access Details set to Allowed, then set Additional Authentication to Requires.
- Save the Access Policy changes, then Publish.
See also section "Add an Access Policy" on page Add, Clone, or Delete an Access Policy.
Related Articles
Salesforce AFX Connector provisioning fails with 'Error occured while generating access token from refresh token' and INV… Number of Views Microsoft Entra ID - SCIM Client for Cloud Authentication Service - RSA Ready Implementation Guide Number of Views Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU Number of Views Cannot access RSA SecurID Access protected SAML application due to missing NameID Number of Views Cannot add or manage a user with user ID <UserID>. User IDs must be unique within a deployment. This user ID is already in… Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes: Cloud Access Service and RSA Authenticators RSA Release Notes for RSA Authentication Manager 8.8 RSA-2026-04: RSA Governance and Lifecycle Security Update for SUSE Linux Enterprise Server Vulnerabilities
