SP step-up authentication

Plovich, Tony aplovich at anl.gov
Mon Apr 29 12:37:02 EDT 2019


I have a number of applications that all exist under the same domain:



And I've run into a situation where I need to start securing some of them with SmartCard authentication via AuthnContextClassRef.  Currently, there's no distinction between the apps from the SP's point of view (they're all under the default app ID).  Initially, I tried securing them with a native Apache content setting:

<Location /app1>

ShibRequestSetting authnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI


However, it was discovered that a user could authenticate to app2 with a password and then enter app1 without being sent back to the IDP to auth with a smartcard.  After reading https://wiki.shibboleth.net/confluence/display/SP3/ApplicationModel it seems pretty clear that I need to break app1 out into a separate SP application.  However, I'd like to make absolutely sure there isn't a better way to accomplish what I'm trying to do.

Tony Plovich (aplovich at anl.gov<mailto:aplovich at anl.gov>)
Business Information Systems (BIS)
Argonne National Laboratory

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190429/19361727/attachment.html>

More information about the users mailing list