Fun with proxying to AzureAD
Matthew Slowe
Matthew.Slowe at jisc.ac.uk
Tue Jun 8 10:59:11 UTC 2021
> On 7 Jun 2021, at 21:17, Jeffrey Williams via users <users at shibboleth.net> wrote:
>
> We've been proxying to Azure for a bit and are handling REFEDS MFA requests with it as well. I put the code snippet we use in the How-To article:
>
> https://wiki.shibboleth.net/confluence/display/KB/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD
>
> It's the same mechanism Tony described, but using values that'll have meaning in Azure.
Hi Jeff,
>From what I can see the snippet on the wiki page is mapping between AuthnContextClassRefs but our observation is that Azure emits that "multipleauthn" assertion as an Attribute in the AttributeStatement rather than in the AuthnContext:
> <AttributeStatement>
> ...
> <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
> <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
> <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
> </Attribute>
> ...
> </AttributeStatement>
> ...
> <AuthnStatement AuthnInstant="..." SessionIndex="...">
> <AuthnContext>
> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
> </AuthnContext>
> </AuthnStatement>
Am I barking up the wrong tree or have you "done something" to the Azure IdP end to get it to emit this as an AuthnContextClassRef?
Thanks,
--
Matthew Slowe (GPG: 0x6BE0CF7D04600314)
Senior Technical Consultant and Support specialist - Trust & Identity, Jisc
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
More information about the users
mailing list