Changing IDP4 SAML Authentication RequestedAuthnContext Comparison value

Aterea Brown atbrown at aut.ac.nz
Sun Nov 28 20:18:39 UTC 2021 

Hi Neil,

Have you tried

<bean parent="SAML2.SSO"  p:authnContextComparison="exact">
        <property name="defaultAuthenticationMethods">
                <list>
                        <bean parent="shibboleth.SAML2AuthnContextClassRef"
                                c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
                </list>
        </property>
</bean>


in your relying-party.xml?
--
Aterea Brown, AUT University
Cybersecurity, ICT
Email: atbrown at aut.ac.nz Phone: 9219999 x 6523
________________________________
From: users <users-bounces at shibboleth.net> on behalf of McLennan, Neil R <n.mclennan at imperial.ac.uk>
Sent: Saturday, 27 November 2021 2:12 AM
To: 'Shib Users' <users at shibboleth.net>
Subject: Changing IDP4 SAML Authentication RequestedAuthnContext Comparison value

Has anybody worked out how to alter the RequestedAuthnContext for SAML authentication so that   <saml2p:RequestedAuthnContext Comparison="exact"> ?

As per the useful https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fspaces%2FIDP4%2Fpages%2F1265631678%2FRelyingPartyConfiguration&data=04%7C01%7Catbrown%40aut.ac.nz%7C90cddda4048244a638d108d9b0de7504%7C5e022ca15c044f878db7d588726274e3%7C1%7C0%7C637735292245553131%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4f9NFeBFW8bEPhvaZu1Mw2WwncUzGeWI0S4p%2F0ErIZw%3D&reserved=0 I have updated the relying party for the SAML authentication hoping it might override     <saml2p:RequestedAuthnContext Comparison="minimum"> however it remains the same

Authentication request into Shibboleth

    <saml2p:RequestedAuthnContext Comparison="minimum">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>

Outgoing  Authentication  request from Shibboleth remains as

    <saml2p:RequestedAuthnContext Comparison="minimum">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>

What am I missing in the Relying Party configuration for SAML authentication?

  <bean parent="RelyingPartyByName" c:relyingPartyIds="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsts.windows.net%2Fxxxxxxxxxxxxxxx%2F&data=04%7C01%7Catbrown%40aut.ac.nz%7C90cddda4048244a638d108d9b0de7504%7C5e022ca15c044f878db7d588726274e3%7C1%7C0%7C637735292245553131%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=jwoeFgEtcBpnd%2B%2Bwo3K0C0CUF%2BIn0YZWWIvhWffbcCo%3D&reserved=0">
          <property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO"  p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
        <property name="defaultAuthenticationMethods">
                <list>
                        <bean parent="shibboleth.SAML2AuthnContextClassRef"
                                c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
                </list>
        </property>
</bean>
 </list>
            </property>
        </bean>

However

Authentication request into Shibboleth

    <saml2p:RequestedAuthnContext Comparison="minimum">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>

Outgoing  Authentication  request from Shibboleth remains as

    <saml2p:RequestedAuthnContext Comparison="minimum">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>

Regards

Neil McLennan
--
For Consortium Member technical support, see https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=04%7C01%7Catbrown%40aut.ac.nz%7C90cddda4048244a638d108d9b0de7504%7C5e022ca15c044f878db7d588726274e3%7C1%7C0%7C637735292245553131%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sTWwy0Dyskka%2Bo7MFyFN74U59E4fZ9cBTy2DtwDxYXg%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211128/32d3e3ab/attachment.htm>

More information about the users mailing list