Handling RequestedAuthnContext from idP

[huwi...@champlain.edu]

Is there any support for Authentication Contexts at the idP level?  

For example, if an SP sends...

<samlp:RequestedAuthnContext Comparison="exact">  <saml:AuthnContextClassRef>https://refeds.org/profile/mfa</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

... how do I (a) respond with the following in my idP's response?

<saml:AuthnContext>  <saml:AuthnContextClassRef>https://refeds.org/profile/mfa</saml:AuthnContextClassRef>
</saml:AuthnContext>

... and (b) is there a way to access requested context from api on custom auth page in order to limit authentication choices?

Thanks in advance!

Matt

[pat...@cirrusidentity.com]

Hi Matt,

For A)
You can define a an authproc filter https://simplesamlphp.org/docs/stable/saml/authproc_authncontextclassref.html to set it for your response

We need to set it conditionally so we use our own https://github.com/cirrusidentity/simplesamlphp-module-cirrusgeneral/#conditionalsetauthncontext

For B) in your custom auth page you'll likely have access to the user's state. It should be in there (I've accessed it from auth filters before), and it can be multi-valued.

 `$state['saml:RequestedAuthnContext']['AuthnContextClassRef']`

- Patrick

[huwi...@champlain.edu]

This is exactly what I was looking for.  Thank you Patrick.