Different authnContextClassRef by different IDP
Vjger
vjger69 at gmail.com
Thu Feb 27 11:01:52 EST 2020
Hi,
we have an SP federated with different IDPs.
One of these is our (by Shib IDP v3), the others are external.
The external block of IDPs requires a specific authnContextClassRef.
Configuring it by <ApplicationDefaults> tag it works.
Say for example that my ApplicationDefaults is something as
<ApplicationDefaults entityID="https://www.xyz.com"
REMOTE_USER="shibattr-uid eppn subject-id
pairwise-id persistent-id"
attributePrefix="AJP_" signing="true"
NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
authnContextClassRef="https://www.abc.com" authnContextComparison="minimum">
The problem is that wh have an error on our internal IDP because the
authnContextClassRef is global.
To avoid it we've managed configuration (general-authn.xml) of internal IDP
in this way:
<bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true">
<property name="supportedPrincipals">
<list>
<bean
parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://www.abc.com" />
</list>
</property>
</bean>
So we avoid the error but it's not pretty. Is there a way to link specific
AuthnContextClassRef to specific IDP (we use Discovery Service by
<SessionInitiator type="SAMLDS"> tag)?
Thanks in advance
--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
More information about the users
mailing list