F5 big-ip vpn saml implementation with 2factor
IAM David Bantz
dabantz at alaska.edu
Fri Dec 18 18:40:21 EST 2015
Perhaps with some provisos. I have been unable to find a combination of
configurations with MCB that will enable an acceptable (by the SP) response
to a request with:
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://identity.research.gov/sso/sp</saml:Issuer>
...
<samlp:RequestedAuthnContext Comparison="exact"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML
:2.0:assertion">urn:oasis:names:tc:SAML:2.0:*ac:classes:unspecified*</saml:
AuthnContextClassRef>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML
:2.0:assertion">urn:oasis:names:tc:SAML:2.0:
*ac:classes:PasswordProtectedTransport*</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
David Bantz
On Fri, Dec 18, 2015 at 2:21 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> > We are all pretty much on the same setup of shibboleth idp 2.5.4, mcb
> 1.2.5
> > and the latest duo mcb plugin cant recall version atm. "we've been told
> in the
> > past custom relying party's to request a specific authcontext was not
> > workable in v2x. our deadline for this solution would be before all our
> > campus's could all get to idp v3 as well.
>
> I can only speak to V2 alone, and it supports SP-specific defaulting of an
> authentication method just fine.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151218/1165fd1f/attachment.html>
More information about the users
mailing list