Changing IDP4 SAML Authentication RequestedAuthnContext Comparison value

McLennan, Neil R n.mclennan at imperial.ac.uk
Fri Nov 26 13:12:02 UTC 2021 

Has anybody worked out how to alter the RequestedAuthnContext for SAML authentication so that   <saml2p:RequestedAuthnContext Comparison="exact"> ?

As per the useful https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631678/RelyingPartyConfiguration I have updated the relying party for the SAML authentication hoping it might override     <saml2p:RequestedAuthnContext Comparison="minimum"> however it remains the same

Authentication request into Shibboleth

    <saml2p:RequestedAuthnContext Comparison="minimum">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>

Outgoing  Authentication  request from Shibboleth remains as 

    <saml2p:RequestedAuthnContext Comparison="minimum">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>

What am I missing in the Relying Party configuration for SAML authentication? 

  <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sts.windows.net/xxxxxxxxxxxxxxx/">
          <property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO"  p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
	<property name="defaultAuthenticationMethods">
		<list>
			<bean parent="shibboleth.SAML2AuthnContextClassRef"
				c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
		</list>
	</property>
</bean>
 </list>
            </property>
        </bean>

However 

Authentication request into Shibboleth

    <saml2p:RequestedAuthnContext Comparison="minimum">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>

Outgoing  Authentication  request from Shibboleth remains as 

    <saml2p:RequestedAuthnContext Comparison="minimum">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>

Regards

Neil McLennan

More information about the users mailing list