Hi, all,
For those of you who didn’t just see my confused post to the Shibboleth users list:
I’m setting up a proxy IdP with SSP. Everything was working fine until I tried to do something crazy and have the SSP SP request a specific authnContextClassRef from my Shibboleth IdP.
The use case is that we have a few SPs that can’t use a discovery service but need to be accessed by users from multiple campuses. Having everything working, I decided it would be nice if these SPs might have the option of using two different IdP entity IDs depending on whether or not they want our users to be prompted for MFA. The optin of having the SSP IdP take a requested authn context class ref from the original SP and pass that through the SSP SP to the Shibboleth IdP was attractive, but considering most of these SPs don’t follow any standards at all, it’s unlikely they’ll be able to request an authentication context. So, the goal is two proxy IdPs, each with its own authentication source SP. One will request password, the other MFA.
I thought this would be as simple as adding the following to my SP configuration in authsources.php:
‘saml:AuthnContextClassRef’ => ‘urn:mace:incommon:uiuc.edu:custom’,
But looking at the SSP log and the message being sent to my Shibboleth IdP, there’s no authnContextClassRef in the generated request at all. This is true regardless of it my real SP requests a specific authn context or not.
Is this not the right way to request a specific authncontextclass from the real IdP? Even if I use the link from the SSP authentication source test page, keeping the proxy IdP out of the loop, the IdP still doesn’t receive a request for MFA. The SAML authentication request logged by both SSP and the Shibboleth IdP doesn’t include a requested authn context class.
What am I doing wrong?
Thanks,
Keith
I thought this would be as simple as adding the following to my SP configuration in authsources.php:
‘saml:AuthnContextClassRef’ => ‘urn:mace:incommon:uiuc.edu:custom’,
Thanks, Patrick. That did it. I should have figured out the saml: prefix wasn’t needed.
Thanks for the suggestion of adding the authproc, too.
Keith
--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
One follow-up question on this. I don’t have a saml20-hosted-sp.php in my metadata dir. The SP parameters are all defined in authsources.php. But the docs state that authprocs can only be defined in config.php or in metadata files. Can I put an authproc array inside my SP definition in authsources.php? Or do I need to define it in a new saml20-hosted-sp.php?
If the latter, how much do I need to repeat from the definition of the SP in authsources.php? Is it enough to just put the entityID at the top and the authproc block inside? Everything seems to be working nw with what I have in authsources.php.
Thanks,
Keith
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of pat...@cirrusidentity.com
Sent: Thursday, January 12, 2017 1:30 PM
To: SimpleSAMLphp <simple...@googlegroups.com>
Subject: Re: Requesting a specific AuthnContextClassRef in a proxy IdP
--
One follow-up question on this. I don’t have a saml20-hosted-sp.php in my metadata dir. The SP parameters are all defined in authsources.php. But the docs state that authprocs can only be defined in config.php or in metadata files. Can I put an authproc array inside my SP definition in authsources.php? Or do I need to define it in a new saml20-hosted-sp.php?
array(
'saml:SP',
'entityID' => 'https://example'
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);
If the latter, how much do I need to repeat from the definition of the SP in authsources.php? Is it enough to just put the entityID at the top and the authproc block inside? Everything seems to be working nw with what I have in authsources.php.