Returning an AuthnContextDecl using Sibboleth3 external auth

Cantor, Scott cantor.2 at osu.edu
Tue May 12 09:49:53 EDT 2015 

On 5/12/15, 4:26 AM, "Stefan Santesson" <stefan at aaa-sec.com> wrote:
>
>We are testing Shibboleth3 IdP in the Swedish national federation and I’m stuck in my efforts to return an AuthnContextDecl and even setting the appropriate AuthnContextClassRef from my external auth servlet to the Shibboleth3 IdP.

We have no support for AuthnContext declarations, we never have. We support ClassRef or DeclRef (but not both, since that's not legal).

>On the input side to the external auth servlet I have more than I need. The key here for me is the profileRequestContext request attribute providing the full AuthnRequest.

You should *not* in general ever evaluate SAML in a login flow. If you're looking for data about the RequestedAuthnContext, it's transformed into a RequestedPrincipalContext in the tree so that it's protocol neutral.

>The content of the request will influence the processing in the IdP and I’m supposed to return both the actually performed AuthnContextClassRef, but even more importantly, result data in a AuthnContextDecl.

Not supported, at least without doing your own copy of the SAML flow and writing new Java code.

>In Shibboleth2 IdP I could influence the AuthnContextClassRef through the now deprecated authnMethod attribute.

Yes, but not the Decl.

Class handling is automatic for the most part, but there are limitations on doing this more dynamically, the design's not there yet. Too much of the automation gets in the way. You can explicitly return a Subject with your choice of custom Principal objects (namely AuthnContextClassRefPrincipals), but the flow engine will add in all the custom Principals established on the flow descriptor, which likely contaminates whatever you're trying to do. Marvin asked a similar question a couple of weeks ago.

>Is the input request attributes also working as output request attributes, that is, can I return a profileRequestContext to the IdP with the data above? (it seems to have an outbountMessageContext)

No.

>If so, How am I supposed to include the data in this generic object?

Generally speaking you're supposed to return a Subject, but it probably won't do what you need it to in the end (and it will never generate a declaration).

-- Scott

More information about the users mailing list