Specifying RequestedAuthnContext in AuthnRequest for a federation

View Only

Expand all | Collapse all

Specifying RequestedAuthnContext in AuthnRequest for a federation

Jump to Best Answer

1. Specifying RequestedAuthnContext in AuthnRequest for a federation

0 Like
Kim Petersen
Posted Tue November 29, 2022 09:26 AM

Reply
Hello Community

We are an institution having ISAM (version 9.0.7) federation has service provider in federation with the public Danish identity provider.
The IdP supports RequestedAuthnContext in the AuthnRequest and we need to support this for a federation to fulfill end user use case.
The only way I have found to manipulate AuthnRequest is using a mapping rule specified for the federation under SAML Message Extension.
This wraps the RequestedAuthnContext inside Extensions and results in a request like:

<samlp:AuthnRequest
... attributes ...>
<saml:Issuer spec ... </saml:Issuer>
<samlp:NameIDPolicy spec ... </samlp:NameIDPolicy>
<samlp:Extensions>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>https://data.gov.dk/eid/Person</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:Extensions>
</samlp:AuthnRequest>

However RequestedAuthnContext should be defined in the request directly under AuthnRequest according the SAML20 specification.
The request should look like:

<samlp:AuthnRequest
... attributes ...>
<saml:Issuer spec ... </saml:Issuer>
<samlp:NameIDPolicy spec ... </samlp:NameIDPolicy>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>https://data.gov.dk/eid/Person</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Howto accomplish this - is there any other way to manipulate the AuthnRequest to include RequestedAuthnContext as described?

Note: We are migrating to ISVA Q1 2023

Cheers

------------------------------
Kim Petersen
Specialist
ATP
------------------------------
2. RE: Specifying RequestedAuthnContext in AuthnRequest for a federation
Best Answer

0 Like
Shane Weeden
Posted Wed November 30, 2022 01:49 AM

Reply
I take it in this use case you are SP, and needing to set RequestedAuthnContext/AuthnContextClassRef value. In that case I believe you should be able to do it via simple query string parameters to the logininitial URL (kickoff URL for SP-initiated SAML SSO). See: https://www.ibm.com/docs/bg/sva/9.0.7?topic=profiles-saml-20-profile-initial-urls

------------------------------
Shane Weeden
IBM
------------------------------

Original Message
3. RE: Specifying RequestedAuthnContext in AuthnRequest for a federation

0 Like
Kim Petersen
Posted Fri December 02, 2022 02:47 AM

Reply
Thanks Shane
That is simple solution

------------------------------
Kim Petersen
Specialist
ATP
------------------------------

Original Message

IBM Security Verify

Specifying RequestedAuthnContext in AuthnRequest for a federation

Kim PetersenTue November 29, 2022 09:26 AM

Shane WeedenWed November 30, 2022 01:49 AMBest Answer

Kim PetersenFri December 02, 2022 02:47 AM

1. Specifying RequestedAuthnContext in AuthnRequest for a federation

2. RE: Specifying RequestedAuthnContext in AuthnRequest for a federation Best Answer

3. RE: Specifying RequestedAuthnContext in AuthnRequest for a federation

2. RE: Specifying RequestedAuthnContext in AuthnRequest for a federation
Best Answer