Returning an AuthnContextDecl using Sibboleth3 external auth

Stefan Santesson stefan at
Tue May 12 13:20:57 EDT 2015


On 12/05/15 15:49, "Cantor, Scott" <cantor.2 at> wrote:

>We have no support for AuthnContext declarations, we never have. We
>support ClassRef or DeclRef (but not both, since that's not legal).

I think you are wrong here,

It is definitely allowed by the XML Schema for AuthnContextType
This may hold both a ClassRes AND a choice between DeclRef or ContextDecl

  <element ref="saml:AuthnContextClassRef"/>
  <choice minOccurs="0">
    <element ref="saml:AuthnContextDecl"/>
    <element ref="saml:AuthnContextDeclRef"/>

The guiding text seems to agree (SAML 2.0 core
³The <AuthnContext> element specifies the context of an authentication
event. The element can contain
an authentication context class reference, an authentication context
declaration or declaration reference,
or both."


More information about the users mailing list