Hello Community
We are an institution having ISAM (version 9.0.7) federation has service provider in federation with the public Danish identity provider.
The IdP supports
RequestedAuthnContext in the
AuthnRequest and we need to support this for a federation to fulfill end user use case.
The only way I have found to manipulate
AuthnRequest is using a mapping rule specified for the federation under
SAML Message Extension.
This wraps the
RequestedAuthnContext inside
Extensions and results in a request like:
<samlp:AuthnRequest
... attributes ...>
<saml:Issuer spec ... </saml:Issuer>
<samlp:NameIDPolicy spec ... </samlp:NameIDPolicy>
<samlp:Extensions>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>https://data.gov.dk/eid/Person</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:Extensions>
</samlp:AuthnRequest>
However
RequestedAuthnContext should be defined in the request directly under
AuthnRequest according the SAML20 specification.
The request should look like:
<samlp:AuthnRequest
... attributes ...>
<saml:Issuer spec ... </saml:Issuer>
<samlp:NameIDPolicy spec ... </samlp:NameIDPolicy>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>https://data.gov.dk/eid/Person</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Howto accomplish this - is there any other way to manipulate the
AuthnRequest to include
RequestedAuthnContext as described?
Note: We are migrating to ISVA Q1 2023
Cheers
------------------------------
Kim Petersen
Specialist
ATP
------------------------------