Authentication

Specifying Authentication Contexts

666 views August 15, 2017 November 22, 2017 2

The SAML2 gateway supports specifying authentication methods from the SAML Request by means of the RequestedAuthnContext element. If the authentication context matches exactly one authentication method, only that method will be displayed; otherwise, it will produce a method selection screen. An authentication context that doesn’t match any methods will produce an error message.

There are two ways of invoking an AuthnContext, depending on what you are hoping to achieve.

AuthnContextClassRef

If you are interested in displaying a selection of authentication methods based on a particular class reference, this is the element of choice. The class reference is expressed as a URN, for example urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI or urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport. The class reference must match at least one of the authentication methods defined in your service. Please contact support@signicat.com if you are unsure what class reference to use, or if you wish to set up a custom class reference.

Another useful attribute is Comparison. It is defined in the RequestedAuthnContext element, and can have the values exact, minimum, maximum, or better.

  • Comparison=”exact” means that the SAML2 gateway will display those authentication methods that match the AuthnContextClassRef, with no further ado. This is the default value.
  • Comparison=”minimum” will extract the signicat.security-level attribute for those methods that match the AuthnContextClassRef, and compare it to the authentication methods available in the service. Only those that have a security level equal to, or higher than, the extracted level will be displayed.
  • Comparison=”maximum” will extract the signicat.security-level attribute for those methods that match the AuthnContextClassRef, and compare it to the authentication methods available in the service. Only those that have a security level equal to, or lower than, the extracted level will be displayed.
  • Comparison=”better” will extract the signicat.security-level attribute for those methods that match the AuthnContextClassRef, and compare it to the authentication methods available in the service. Only those that have a security level higher than the extracted level will be displayed.
Example
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://id.customer.com/gateway/customer/saml2/sso/browser" ID="id-b5f96406-9934-4cc4-a1b3-897ca35aed13" IssueInstant="2014-11-01T22:42:23.584Z" Version="2.0">
    <saml:Issuer>http://login.customer.com/adfs/services/trust</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

AuthnContextDeclRef

This element specifies a single authentication uniquely. Its format is also a URN, namely urn:signicat:SAML:2.0:ac:ref:service_name:method_name. The Comparison attribute will have no impact on AuthnContextDeclRef.

Example
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://id.customer.com/gateway/customer/saml2/sso/browser" ID="id-b5f96406-9934-4cc4-a1b3-897ca35aed13" IssueInstant="2014-11-01T22:42:23.584Z" Version="2.0">
    <saml:Issuer>http://login.customer.com/adfs/services/trust</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext>
        <saml:AuthnContextDeclRef">urn:signicat:SAML:2.0:ac:ref:demo:nemid</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Was this helpful?