Re: AuthnContextClassRef
16 views
Skip to first unread message
Jaime Perez Crespo
Apr 10, 2015, 11:47:08 AM4/10/15
to simple...@googlegroups.com
Hi Tim!
> On 20 Mar 2015, at 19:05 pm, Tim van Dijen <tvd...@gmail.com> wrote:
> I have a setup with an SP (3rd party, cannot be controlled), a simplesamlphp bridge and several IDP's connected.
> The SP requires an AuthnContextClassRef of
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>
> I have configured the IDP's to return this attribute, but it's lost on the bridge, which sends
> urn:oasis:names:tc:SAML:2.0:ac:classes:Password back to the SP.
> How do I configure the bridge to return this attribute too?
> I have tried setting it in saml20-idp-hosted, just like I did on my IDPs, but it doesn't seem to work.
> Any help is appreciated.
How did you configure this in the IdPs? I’m asking because you should basically do the same for the proxy, but there’s no documented way to do that.
Also, the problem you are facing is due to the fact that SimpleSAMLphp does not officially support working as a proxy or bridge. So this kind of things are not taken into account in the proxy, leading to problems.
Now, regarding your specific question, you need to configure the remote metadata for the SP that requires that authentication context (metadata/saml-20-sp-remote.php in the proxy) with an authentication processing filter that adds the class you need:
—8<—
'authproc' => array(
array(
'class' => 'saml:AuthnContextClassRef',
'AuthnContextClassRef' => 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
),
),
—>8—
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
> On 20 Mar 2015, at 19:05 pm, Tim van Dijen <tvd...@gmail.com> wrote:
> I have a setup with an SP (3rd party, cannot be controlled), a simplesamlphp bridge and several IDP's connected.
> The SP requires an AuthnContextClassRef of
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>
> I have configured the IDP's to return this attribute, but it's lost on the bridge, which sends
> urn:oasis:names:tc:SAML:2.0:ac:classes:Password back to the SP.
> How do I configure the bridge to return this attribute too?
> I have tried setting it in saml20-idp-hosted, just like I did on my IDPs, but it doesn't seem to work.
> Any help is appreciated.
How did you configure this in the IdPs? I’m asking because you should basically do the same for the proxy, but there’s no documented way to do that.
Also, the problem you are facing is due to the fact that SimpleSAMLphp does not officially support working as a proxy or bridge. So this kind of things are not taken into account in the proxy, leading to problems.
Now, regarding your specific question, you need to configure the remote metadata for the SP that requires that authentication context (metadata/saml-20-sp-remote.php in the proxy) with an authentication processing filter that adds the class you need:
—8<—
'authproc' => array(
array(
'class' => 'saml:AuthnContextClassRef',
'AuthnContextClassRef' => 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
),
),
—>8—
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Reply all
Reply to author
Forward
0 new messages