Fun with proxying to AzureAD

Matthew Slowe Matthew.Slowe at
Tue Jun 8 10:59:11 UTC 2021

> On 7 Jun 2021, at 21:17, Jeffrey Williams via users <users at> wrote:
> We've been proxying to Azure for a bit and are handling REFEDS MFA requests with it as well.  I put the code snippet we use in the How-To article: 
> It's the same mechanism Tony described, but using values that'll have meaning in Azure.

Hi Jeff,

>From what I can see the snippet on the wiki page is mapping between AuthnContextClassRefs but our observation is that Azure emits that "multipleauthn" assertion as an Attribute in the AttributeStatement rather than in the AuthnContext:

> <AttributeStatement>
> ...
>     <Attribute Name="">
>         <AttributeValue></AttributeValue>
>         <AttributeValue></AttributeValue>
>     </Attribute>
> ...

> </AttributeStatement>
> ...
> <AuthnStatement AuthnInstant="..." SessionIndex="...">
>     <AuthnContext>
>         <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
>     </AuthnContext>
> </AuthnStatement>

Am I barking up the wrong tree or have you "done something" to the Azure IdP end to get it to emit this as an AuthnContextClassRef?

Matthew Slowe (GPG: 0x6BE0CF7D04600314)
Senior Technical Consultant and Support specialist - Trust & Identity, Jisc
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

More information about the users mailing list