AuthnContextClassRef

29 views
Skip to first unread message

Mark Boyce

unread,
May 5, 2026, 3:47:45 PMMay 5
to simple...@googlegroups.com

Hello all,

 

When the authsource/SP requests https://refeds.org/profile/mfa, the IdP responds with the correct Authn Context… however, what’s being returned to the originating SP is urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport. The originating SP is not requesting an authentication context. Is this because the originating SP is not requesting an auth context or …

 

Thanks,

m.

 

 

Mark L. Boyce

Senior Identity Management Analyst

University of California, Office of the President

Office: 510.987.9681

Cell: 209.851.0196

 

Tim van Dijen

unread,
Jul 9, 2026, 11:29:42 AM (5 days ago) Jul 9
to SimpleSAMLphp
HI Mark,

I'm sorry I never responded to this. SimpleSAMLphp by default ignores any RequestedAuthnContext from an AuthnRequest.

What you could do is to use the RequestedAuthnContextSelector:  https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/core/docs/authsource_selector.md
This will allow you to differentiate and select an authsource based on the requested context with a certain default fallback.

If you have only one SP and all you want to do is to fix the AuthnContextClassRef in the response, then you can add the AuthnContextClassRef-authproc-filter to your saml2-idp-hosted.php:
https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/saml/docs/authproc_authncontextclassref.md

I think the RequestedAuthnContextSelector-option is the pretty solution, but you can still use the authproc-filter and use precondition-filters to target the authproc-filter to one SP:
https://github.com/simplesamlphp/simplesamlphp/blob/2a1651b8179b590e064eaa085fdaa3d92a8fc298/docs/simplesamlphp-authproc.md?plain=1#L114

I hope this helps. Let me know if you have any questions.

- Tim

Op dinsdag 5 mei 2026 om 21:47:45 UTC+2 schreef mark....@ucop.edu:
Reply all
Reply to author
Forward
0 new messages