Implementing the OASIS Level of Assurance Authentication Context Profiles for SAML 2.0 in simpleSAMLphp

223 views
Skip to first unread message

Ripul

unread,
Dec 7, 2010, 12:09:21 PM12/7/10
to simpleSAMLphp
Hi,

I need to implement the OASIS Level of Assurance (LoA) Authentication
Context Profiles for SAML 2.0 at the simpleSAMLphp. My plan is to use
a config parameter at the SP. When the config parameter will be
present, the SP will add the AuthnContext for LoA to the AuthnRequest.
The IdP, upon receiving the Authentication Request and authenticating
the user, will also add the LoA of the authentication mechanism to the
AuthnContextClassRef element of the response. The LoA of each
authentication mechanism can be added/edited at the respective entry
inside the authsources.php.

With that said, I need to add this feature both at the SP and IdP.
Could anyone please tell me the right source files that I need to look
at? Any idea or suggestion will be highly appreciated.

Regards,
Ripul

Olav Morken

unread,
Dec 8, 2010, 10:59:09 AM12/8/10
to simple...@googlegroups.com
On Tue, Dec 07, 2010 at 09:09:21 -0800, Ripul wrote:
> Hi,
>
> I need to implement the OASIS Level of Assurance (LoA) Authentication
> Context Profiles for SAML 2.0 at the simpleSAMLphp. My plan is to use
> a config parameter at the SP. When the config parameter will be
> present, the SP will add the AuthnContext for LoA to the AuthnRequest.

If yo refer to setting the AuthnContext, I believe that should
already be supported by setting the 'AuthnContextClassRef' option.

> The IdP, upon receiving the Authentication Request and authenticating
> the user, will also add the LoA of the authentication mechanism to the
> AuthnContextClassRef element of the response.

This is currently possible with the change in r2656.

> The LoA of each
> authentication mechanism can be added/edited at the respective entry
> inside the authsources.php.

Not supported, and I don't think this is the right place to add it.
Instead, I think you need a specific authentication source, that can
check the authentication context the SP requires, and selects the
next authsource based on that. Then it could also add the
authentication context to the response.

> With that said, I need to add this feature both at the SP and IdP.
> Could anyone please tell me the right source files that I need to look
> at? Any idea or suggestion will be highly appreciated.

A lot of changes are necessary, including some changes to the Session
class in order to detect that the current level of assurance is lower
than the one the SP requests.

You will also need to add some code to modules/saml/lib/IdP/SAML2.php,
so that it can extract the requested authentication context from the
authentication request.

Regards,
Olav Morken
UNINETT / Feide

Ripul

unread,
Dec 10, 2010, 11:15:21 AM12/10/10
to simpleSAMLphp
Hi Olav,

Thank you very much for the insightful suggestion. This really helped
a lot.

Regards.
Ripul
>  smime.p7s
> 3KViewDownload

Ripul

unread,
Dec 13, 2010, 7:33:02 AM12/13/10
to simpleSAMLphp
Hi Olav,

I am writing a new authentication source for implementing the LoA
profile with simpleSAMLphp.

I wonder what would be the right way to access the
AuthnContextClassRef element of the
SAML Authentication request from an authentication source. Which
classes do I need to change for this?

Thanks,
Ripul

On Dec 8, 3:59 pm, Olav Morken <olav.mor...@uninett.no> wrote:
>  smime.p7s
> 3KViewDownload
Reply all
Reply to author
Forward
0 new messages