Switching authnContextClassRefs on SP
Etienne Dysli-Metref
etienne.dysli-metref at switch.ch
Tue Nov 15 09:45:50 EST 2016
Hi there,
I'm trying to protect two paths on one SP with two different
authnContextClassRef requirements: the first one requests nothing
special, the second one wants my class.
<Location "/secure/">
AuthType shibboleth
ShibRequestSetting requireSession true
Require shib-session
</Location>
<Location "/secure-mfa/">
AuthType shibboleth
ShibRequestSetting requireSession true
ShibRequestSetting authnContextClassRef
https://mfa-dev.ed.switch.ch/idp/mfa/simple
Require authnContextClassRef https://mfa-dev.ed.switch.ch/idp/mfa/simple
</Location>
I'm observing the following SP behaviour: first I access /secure/ and
get a session with authnContextClassRef "PasswordProtectedTransport",
then I access /secure-mfa/ and the SP throws a 401 unauthorized error.
Is this the expected behaviour?
I would prefer the SP to send another authnRequest asking for my
authnContextClassRef. Is there a way to do that (beside trapping the 401
in the web application and handling it there)?
Cheers,
Etienne
environment (if that matters):
Apache httpd 2.4.6 RHEL 7.2
Shibboleth SP 2.6.0
log4shib 1.0.9, Xerces-C 3.1.1, XMLTooling-C 1.6.0, Shibboleth 1.6.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://shibboleth.net/pipermail/users/attachments/20161115/f14b8cd5/attachment.sig>
More information about the users
mailing list