IBM Verify

 View Only
  • 1.  Specifying RequestedAuthnContext in AuthnRequest for a federation

    Posted Tue November 29, 2022 09:26 AM
    Hello Community

    We are an institution having ISAM (version 9.0.7) federation has service provider in federation with the public Danish identity provider.
    The IdP supports RequestedAuthnContext in the AuthnRequest and we need to support this for a federation to fulfill end user use case.
    The only way I have found to manipulate AuthnRequest is using a mapping rule specified for the federation under SAML Message Extension.
    This wraps the RequestedAuthnContext inside Extensions and results in a request like:

    <samlp:AuthnRequest
    ... attributes ...>
    <saml:Issuer spec ... </saml:Issuer>
    <samlp:NameIDPolicy spec ... </samlp:NameIDPolicy>
    <samlp:Extensions>
    <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>https://data.gov.dk/eid/Person</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
    </samlp:Extensions>
    </samlp:AuthnRequest>

    However RequestedAuthnContext should be defined in the request directly under AuthnRequest according the SAML20 specification.
    The request should look like:

    <samlp:AuthnRequest
    ... attributes ...>
    <saml:Issuer spec ... </saml:Issuer>
    <samlp:NameIDPolicy spec ... </samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>https://data.gov.dk/eid/Person</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
    </samlp:AuthnRequest>

    Howto accomplish this - is there any other way to manipulate the AuthnRequest to include RequestedAuthnContext as described?

    Note: We are migrating to ISVA Q1 2023

    Cheers

    ------------------------------
    Kim Petersen
    Specialist
    ATP
    ------------------------------


  • 2.  RE: Specifying RequestedAuthnContext in AuthnRequest for a federation
    Best Answer

    Posted Wed November 30, 2022 01:49 AM
    I take it in this use case you are SP, and needing to set RequestedAuthnContext/AuthnContextClassRef value. In that case I believe you should be able to do it via simple query string parameters to the logininitial URL (kickoff URL for SP-initiated SAML SSO). See: https://www.ibm.com/docs/bg/sva/9.0.7?topic=profiles-saml-20-profile-initial-urls

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 3.  RE: Specifying RequestedAuthnContext in AuthnRequest for a federation

    Posted Fri December 02, 2022 02:47 AM
    Thanks Shane
    That is simple solution

    ------------------------------
    Kim Petersen
    Specialist
    ATP
    ------------------------------