Request AuthnContextClassRef

19 views
Skip to first unread message

Joakim Westlund

unread,
Dec 23, 2024, 5:57:27 PM12/23/24
to SimpleSAMLphp

Hi, I’m struggling with AuthnContextClassRef.

I have an SP the request a AuthnContextClassRef from SSP,

SSP uses an external IDP for this, but that external IDP don’t have the AuthnContextClassRef that is originally requested.

So, I thought that I in authsources.php could add the following to authsources.php.

#To generate the respons back to the SP

    'authproc' => [
        90 => [
                'class' => 'saml:AuthnContextClassRef',
                'AuthnContextClassRef' => 'urn:oasis:names:tc:SAML:2.0:ac:classes:loa2',
        ],
    ],

 # And this to request the correct ACCR from the IDP

'AuthnContextClassRef' => 'urn:oasis:names:tc:SAML:2.0:ac:classes:loa3',

  

The steps.

  1. Request come to SSP, depending on the ACR ('urn:oasis:names:tc:SAML:2.0:ac:classes:loa2') Selector selects correct authsource.
  2. SSP request 'urn:oasis:names:tc:SAML:2.0:ac:classes:loa3' from the IDP
  3. In the Respons to SP, SSP sends  'urn:oasis:names:tc:SAML:2.0:ac:classes:loa2'

 

Result:

The original ACCR is sent to the external IDP.

Is it not possible? Or what am I doing wrong?


/ Joakim

Tim van Dijen

unread,
Jan 6, 2025, 6:36:35 AMJan 6
to SimpleSAMLphp
Hey Joakim,

I think you're running the authproc-filter too early. Put it in saml20-sp-remote.php in the entry for this specific SP and it should work.

- Tim

Op maandag 23 december 2024 om 23:57:27 UTC+1 schreef jocke.w...@gmail.com:
Reply all
Reply to author
Forward
0 new messages