Microsoft Clients Specify Unsupported Authentication Context
Cantor, Scott
cantor.2 at osu.edu
Wed Nov 12 15:34:08 EST 2014
On 11/12/14, 8:20 PM, "Mike Wiseman" <mike.wiseman at utoronto.ca> wrote:
>
>We've noticed in the last week or so that SAML requests from our on-prem
>ADFS to our Shibboleth idp handling Office 365 are including a
>RequestedAuthnContext and AuthnContextClassRef of:
>
>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/pass
>word
That basically says "don't accept strong authentication". Somebody should
ask them to remove that.
>This resulted in the SAML request being accepted, and the rich client
>environment presenting the end user with our webSSO login page (!).
That sounds like what they were promising to do.
> But, on processing of the credentials, the idp sent another AuthnFailed
>response saying that the login handler used one of the existing
>authentication methods instead of the one requested. In doing some
>googling, I saw a similar question in which the answer was that
>LoginHandlers are fixed to handle specific authentication methods only
>and that a new LoginHandler must be built to handle new methods even if
>the method identifier is meant to invoke an existing authentication
>method.
Yes, there really isn't a way to support multiple methods out of one
handler. You'd need more than one. If you can configure two copies of the
UsernamePassword handler at separate locations, that might work, I don't
recall. I wrote my own to deal with issues like this. There's also the MCB
work until V3 is out soon.
-- Scott
More information about the users
mailing list