Requesting a specific AuthnContextClassRef in a proxy IdP

[Keith Wessel]

Hi, all,

 

For those of you who didn’t just see my confused post to the Shibboleth users list:

I’m setting up a proxy IdP with SSP. Everything was working fine until I tried to do something crazy and have the SSP SP request a specific authnContextClassRef from my Shibboleth IdP.

 

The use case is that we have  a few SPs that can’t use a discovery service but need to be accessed by users from multiple campuses. Having everything working, I decided it would be nice if these SPs might have the option of using two different IdP entity IDs depending on whether or not they want our users to be prompted for MFA. The optin of having the SSP IdP take a requested authn context class ref from the original SP and pass that through the SSP SP to the Shibboleth IdP was attractive, but considering most of these SPs don’t follow any standards at all, it’s unlikely they’ll be able to request an authentication context. So, the goal is two proxy IdPs, each with its own authentication source SP. One will request password, the other MFA.

 

I thought this would be as simple as adding the following to my SP configuration in authsources.php:

‘saml:AuthnContextClassRef’ => ‘urn:mace:incommon:uiuc.edu:custom’,

 

But looking at the SSP log and the message being sent to my Shibboleth IdP, there’s no authnContextClassRef in the generated request at all. This is true regardless of it my real SP requests a specific authn context or not.

 

Is this not the right way to request a specific authncontextclass from the real IdP? Even if I use the link from the SSP authentication source test page, keeping the proxy IdP out of the loop, the IdP still doesn’t receive a request for MFA. The SAML authentication request logged by both SSP and the Shibboleth IdP doesn’t include a requested authn context class.

 

What am I doing wrong?

Thanks,

Keith

 

[pat...@cirrusidentity.com]

I thought this would be as simple as adding the following to my SP configuration in authsources.php:

‘saml:AuthnContextClassRef’ => ‘urn:mace:incommon:uiuc.edu:custom’,

Try

  ‘AuthnContextClassRef’ => ‘urn:mace:incommon:uiuc.edu:custom’,

The saml: prefix is used when calling the API yourself to indicate it is a saml option. When you are in the saml authsource you don't need the prefix.

Also you'll need to enforce that the IDP honored that AuthnContextClassRef when it responds. You can check the response with an authproc filter https://simplesamlphp.org/docs/1.14/saml:authproc_expectedauthncontextclassref

I haven't used these specific settings but I think that's what you need.

-Patrick

[Keith Wessel]

Thanks, Patrick. That did it. I should have figured out the saml: prefix wasn’t needed.

 

Thanks for the suggestion of adding the authproc, too.

 

Keith

--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[Keith Wessel]

One follow-up question on this. I don’t have a saml20-hosted-sp.php in my metadata dir. The SP parameters are all defined in authsources.php. But the docs state that authprocs can only be defined in config.php or in metadata files. Can I put an authproc array inside my SP definition in authsources.php? Or do I need to define it in a new saml20-hosted-sp.php?

 

If the latter, how much do I need to repeat from the definition of the SP in authsources.php? Is it enough to just put the entityID at the top and the authproc block inside? Everything seems to be working nw with what I have in authsources.php.

 

Thanks,

Keith

 

 

From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of pat...@cirrusidentity.com
Sent: Thursday, January 12, 2017 1:30 PM
To: SimpleSAMLphp <simple...@googlegroups.com>
Subject: Re: Requesting a specific AuthnContextClassRef in a proxy IdP

 

--

[Patrick Radtke]

On Fri, Jan 13, 2017 at 12:21 PM, Keith Wessel <ke...@wessel.com> wrote:

One follow-up question on this. I don’t have a saml20-hosted-sp.php in my metadata dir. The SP parameters are all defined in authsources.php. But the docs state that authprocs can only be defined in config.php or in metadata files. Can I put an authproc array inside my SP definition in authsources.php? Or do I need to define it in a new saml20-hosted-sp.php?

You can put authproc inside of authsources.php. In your specific use case (verifying AuthnContextClassRef) I think it needs to go there. Putting it in saml20-hosted-sp.php would mean it gets invoked on the 'Proxy IdP -> Proxied SP' side of your proxy, while your goal is to have it invoked on the 'Upstream IdP -> Proxy SP' side of the proxy to verify what the upstream IdP sent.

     array(

        'saml:SP',

        'entityID' => 'https://example'

        

        'authproc' => array(

            // Convert LDAP names to oids.

            100 => array('class' => 'core:AttributeMap', 'name2oid'),

        ),

    );

 

If the latter, how much do I need to repeat from the definition of the SP in authsources.php? Is it enough to just put the entityID at the top and the authproc block inside? Everything seems to be working nw with what I have in authsources.php.

I touched on this above, saml20-hosted-sp.php is for the SPs that use your proxy IdP for authentication.  Your Proxy IdP uses the SP in authsources for authentication. So your proxy SP and those in saml20-hosted-sp.php shouldn't overlap.

-Patrick