SAML 2.0 Authentication Context

[Dael Maselli]

Hello everybody,

I am new to this list, I searched in the archive but not found any
reference about SAML 2.0 Authentication Context.

I'm working at the central SAML 2.0 IdP for my institution (INFN: Italian
National Institute for Nuclear Physics), we decided to use simpleSAMLphp
for it.

I wrote a custom authentication module that works with LDAP, X509-PKI,
Kerberos5 GSS-API and Kerberos5 username/password.

When I use, for example, a Shibboleth2 SP, I can see the Authentication
Context in the attributes. How can I get it also in the simpleSAMLphp SP?

And, most important, how can I set the Authentication Context by the IdP
in my custom authentication module?

In my code, when the user authenticates correctly I do:

######################################################################
$session->doLogin('login');
$session->setAttributes($attributes);

$session->setNameID(array(
'value' => SimpleSAML_Utilities::generateID(),
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')
);
######################################################################

I tried to pass something different to doLogin() without success. Can
you help me?

Thank you very much.

Regards,
Dael Maselli.

--
___________________________________________________________________

Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214
___________________________________________________________________

* Il Buco Nero * http://www.buconero.eu *
___________________________________________________________________

Democracy is two wolves and a lamb voting on what to have for lunch
___________________________________________________________________

[Dael Maselli]

Could you at least tell me if is possible to set an authentication context
other than 'password'?

Thank you.

Dael Maselli.

[Lasse Birnbaum Jensen]

You could add the context keyword eg. ldap, pki as an attribute either directly or indirect by using the eduPersonAssurance attribute.

https://spaces.internet2.edu/display/macedir/Draft+-+eduPersonAssurance

Med venlig hilsen

Lasse Birnbaum Jensen
Netværksadministrator, IT-service

Tlf. 6550 2873
Mobil 6011 2873
Fax 6550 2860
Email la...@sdu.dk
Web http://intern.sdu.dk/enheder/it-service/ansatte/lbj-2881/
Adr. Campusvej 55, 5230 Odense M

SYDDANSK UNIVERSITET
_______________________________________________________________
Campusvej 55 * 5230 * Odense M * Tlf. 6550 1000 * www.sdu.dk

> -----Oprindelig meddelelse-----
> Fra: simple...@googlegroups.com
> [mailto:simple...@googlegroups.com] På vegne af Dael Maselli
> Sendt: 28. januar 2009 13:47
> Til: simple...@googlegroups.com
> Emne: Re: SAML 2.0 Authentication Context

[Andreas Åkre Solberg]

On 28. jan.2009, at 13:46, Dael Maselli wrote:

> Could you at least tell me if is possible to set an authentication
> context
> other than 'password'?

In SP hosted metadata, you can set:
AuthnContextClassRef

See:
http://rnd.feide.no/content/using-simplesamlphp-service-provider

Currently there is no support at the IdP to select authentication
method based on authcontext. If many wants this, we may consider
implementing this.

I've added it as a issue:
http://code.google.com/p/simplesamlphp/issues/detail?id=144

Andreas Åkre Solberg

--
Andreas Åkre Solberg
=andreas
http://rnd.feide.no

[Dael Maselli]

Well, I think it would be useful to request a specific AuthnContext in
some SP, obviously the IdP should support it ;-)

Thank you.

Dael Maselli.

--

[Andreas Åkre Solberg]

On 1. feb.2009, at 10:52, Dael Maselli wrote:

> Well, I think it would be useful to request a specific AuthnContext in
> some SP, obviously the IdP should support it ;-)

In SAML 2.0 SP hosted metadata, you can add:

'AuthnContextClassRef' => 'urn:foo:bar',

Then the authnrequest will contain request for a specific auth context
class.

[Rajesh Gottapu]

Hi andreas,

Do the Service Provider need to vaildate the  AuthnContextClassRef coming from IDP,

A)     Do we require any validation in the Servuce side w.r.t authclassreference?

Basically if SP1 has already logged on to IDP using a weaker authentication mechanism and SP2 demands for a stronger authentication mechanism, the login would still be successful by SP2 based on the IDP cookie and SP2 would receive a authentication class ref with weaker authentication mechanism. In that case isn’t it a violation of agreement between the service provider and identity provider.

Thanks,

Rajesh 

[Szabó, Gyula]

Hi Rajes,

take a try with this:

https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php

gyufi

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.