Is an authnContextClassRef of "unspecified" the same as "PasswordProtectedTransport" ?
Terry Fleury
tfleury at illinois.edu
Fri Jan 27 23:07:25 GMT 2012
Upon further testing, I discovered that when the SP requests "unspecified"
for authnContextClassRef, the IdP responds with the first
"AuthenticationMethod" configured for the given LoginHandler.
In other words, when the IdP is configured with the following in handler.xml:
<ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
<ph:AuthenticationMethod>http://id.incommon.org/assurance/bronze-test</ph:AuthenticationMethod>
<ph:AuthenticationMethod>http://id.incommon.org/assurance/silver-test</ph:AuthenticationMethod>
</ph:LoginHandler>
It returns
"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" in
response to
authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified".
If I reorder the configuration in handler.xml as follows:
<ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
<ph:AuthenticationMethod>http://id.incommon.org/assurance/silver-test</ph:AuthenticationMethod>
<ph:AuthenticationMethod>http://id.incommon.org/assurance/bronze-test</ph:AuthenticationMethod>
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
The IdP returns "http://id.incommon.org/assurance/silver-test" in response
to authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified".
So semantically, requesting "unspecified" means "give me the first
configured authn".
Does this mean sending
authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" to
the IdP is the same as not sending authnContextClassRef at all?
Terry Fleury
tfleury at illinois.edu
On 1/27/2012 4:50 PM, Chad La Joie wrote:
> "unspecified" means "any that you (the relying party) choose". So if
> the IdP support username/password then it's free to respond with that.
>
> On 1/27/12 5:45 PM, Terry Fleury wrote:
>> During my InCommon SP Assurance Use Case testing, I discovered that passing
>> authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
>> from SP to IdP resulted in the IdP responding with
>> Shib-AuthnContext-Class="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport".
>> Is this the expected behavior?
>>
>> I thought that if the SP requested a specific authnContextClassRef, the IdP
>> had to respond with that same value, or respond with an error if unable to
>> fulfill.
>>
>> Terry Fleury
>> tfleury at illinois.edu
>>
>> --
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
More information about the users
mailing list