SP step-up authentication

Cantor, Scott cantor.2 at osu.edu
Mon Apr 29 12:50:34 EDT 2019

On 4/29/19, 12:37 PM, "users on behalf of Plovich, Tony" <users-bounces at shibboleth.net on behalf of aplovich at anl.gov> wrote:

> I tried securing them with a native Apache content setting:

That doesn't secure it. Securing it is done by requiring the necessary AuthnContext class you want to require with authz. The step you took is the sugar, it's simply the thing that automates the process of getting the IdP to give you that, but without enforcement, you've done nothing.

> However, it was discovered that a user could authenticate to app2 with a password and then enter app1 without being
> sent back to the IDP to auth with a smartcard.  After reading

That's because you didn't enforce it, and that hole would be there whether you use an override or not.

The use of an override is the only way to force the behavior statically so that users don't get bad behavior. If the application itself does the enforcing, it can respond to failure by issuing a login request with a redirect to /Login and specify the authnContextClassRef to use, so you get seamless behavior, and that doesn't take an override.

-- Scott

More information about the users mailing list