Using Apache ShibRequestSetting authnContextClassRef and requesting new session

[Cantor, Scott]

> > But if I use user/password to authenticate first to access /protected.test
> > then try and access /protected.test.x509, I get an "Authentication Failed"
> > page.
> >
> > How can I get apache to request a new session using x509?
> 
> The SP doesn't support step-up. If you want to create session boundaries,
> you have to implement them in the SP as separate applications. The admin
> portion of an app would have to explicitly identifiable by URL and then carved
> out as a separate applicationId.

A slightly more precise answer, that gets at the way all these options work, is that the SP has settings for content that enforce access rules (that would be the require) and settings that apply to the generation of requests for new sessions (such as the authnContextClassRef setting).

What the SP doesn't do is explicitly treat a failure in authorization as a justification to request a new session. That's for obvious reasons: it assumes that access was denied for reasons that won't change just by asking nicely.

The problem comes in when the authorization layer is combined with rules that actually are transactional and can change. The additional answer, besides that it doesn't do step-up, is that it pretty much assumes that anything that needs step-up is an app, and not static content, and apps can examine the data, decide to request a new session via /Shibboleth.sso/Login, and adjust the request as needed.

That's the main target for those features, so they don't work as well with static content today.

-- Scott