Need to modify AuthnContextClassRef in ExternalAuth

Stefan Santesson stefan at aaa-sec.com
Fri Dec 18 22:26:20 EST 2015 

Scott,




>>
>>Add an object of type AuthnContextClassRefPrincipal with the value you want to the Subject's principal collection.
>>
>>-- Scott

Actually, this didn’t work.


My auth/External bean is defined as:

<bean id="authn/External" parent="shibboleth.AuthenticationFlow"
            p:nonBrowserSupported="false" 
            p:passiveAuthenticationSupported="false"
            p:forcedAuthenticationSupported="true">
            <property name="supportedPrincipals">
                <util:list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa2"/>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa3"/>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa4"/>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa2-sigmessage"/>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa3-sigmessage"/>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa4-sigmessage"/>
                </util:list>
            </property>
        </bean>

External-auth-config.xml contains:  <util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.FALSE" />


The AuthnRequest sends request for 2 supported class refs:

<saml2p:RequestedAuthnContext Comparison="exact">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://id.elegnamnden.se/loa/1.0/loa3</saml2:AuthnContextClassRef>
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://id.elegnamnden.se/loa/1.0/loa3-sigmessage</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>



The External Auth module sets the http://id.elegnamnden.se/loa/1.0/loa3-sigmessage as the context class ref for the response by:

Principal principal = new UsernamePrincipal(principalName);
            Principal accPrincipal = new AuthnContextClassRefPrincipal("http://id.elegnamnden.se/loa/1.0/loa3-sigmessage");
            Subject subj = new Subject();
            subj.getPrincipals().add(principal);
            subj.getPrincipals().add(accPrincipal);
request.setAttribute(“subject", subj);


But the assertion is returned with AuthnContextClassRef = http://id.elegnamnden.se/loa/1.0/loa3

What am I doing wrong here?


/Stefan

More information about the users mailing list