Different authnContextClassRef by different IDP

Vjger vjger69 at gmail.com
Thu Feb 27 11:01:52 EST 2020


Hi,
we have an SP federated with different IDPs.

One of these is our (by Shib IDP v3), the others are external.

The external block of IDPs requires a specific  authnContextClassRef.

Configuring it by <ApplicationDefaults> tag it works.

Say for example that my ApplicationDefaults is something as

<ApplicationDefaults entityID="https://www.xyz.com"
                         REMOTE_USER="shibattr-uid eppn subject-id
pairwise-id persistent-id"
                         attributePrefix="AJP_" signing="true"

NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
authnContextClassRef="https://www.abc.com" authnContextComparison="minimum">

The problem is that wh have an error on our internal IDP because the
authnContextClassRef is global.

To avoid it we've managed configuration (general-authn.xml) of internal IDP
in this way:

        <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true">
                        <property name="supportedPrincipals">
                                <list>
                                        <bean
parent="shibboleth.SAML2AuthnContextClassRef"

c:classRef="https://www.abc.com" />
                                </list>
                        </property>
                </bean>

So we avoid the error but it's not pretty. Is there a way to link specific
AuthnContextClassRef to specific IDP (we use Discovery Service by
<SessionInitiator       type="SAMLDS"> tag)?

Thanks in advance




--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html


More information about the users mailing list