Multiple login handlers and Shib-Authentication-Method attribute behavior
Stefan Wold
ratler at stderr.eu
Fri Sep 2 17:59:32 BST 2011
Hello,
I have an issue that confuse me quite a bit, not sure if its intended to
work this way, if its a bug or if I just configured something wrong. I
have two login handlers, one is UserPassword the other is MultiFactor
(2FA). My SP then request MultiFactor to be used which work great, I get
the correct login handler and form from the IdP, if I complete the login
I get the header Shib-Authentication-Method =
urn:oasis:names:tc:SAML:2.0:ac:classes:Token as to be expected.
But if I change my auth context before logging in with 2FA by modifying
the url from /MultiFactor to /UserPassword and then complete the login
request using only one factor I still get Shib-Authentication-Method =
urn:oasis:names:tc:SAML:2.0:ac:classes:Token. I would have expected
Shib-Authentication-Method =
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.
This means I can't rely on Shib-Authentication-Method do determine if
the user logged in with a secure method to access some content. Have I
misunderstood something here?
Another related question, I know it's possible to set a
defaultAuthenticationMethod in RelyingParty, but is there anyway to
enforce it rather than allowing the SP to override it?
Thanks
--
Sincerely
Stefan Wold
More information about the users
mailing list