Changing IDP4 SAML Authentication RequestedAuthnContext Comparison value

McLennan, Neil R n.mclennan at imperial.ac.uk
Mon Nov 29 14:26:30 UTC 2021 

Although https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631686/ProfileConfiguration-SAML2SSO suggests that p:authnContextComparison="exact" would work I just get

2021-11-29 14:06:59,997 - 146.179.32.222 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:131] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://auth.surveys.evasysplus.co.uk/sp/shibboleth
2021-11-29 14:06:59,997 - 146.179.32.222 - ERROR [net.shibboleth.idp.relyingparty.impl.ReloadingRelyingPartyConfigurationResolver:108] - RelyingPartyResolver 'shibboleth.RelyingPartyConfigurationResolver': error looking up Relying Party: Invalid configuration.


From: users <users-bounces at shibboleth.net> On Behalf Of Aterea Brown
Sent: 28 November 2021 20:19
To: Shib Users <users at shibboleth.net>
Subject: Re: Changing IDP4 SAML Authentication RequestedAuthnContext Comparison value

Hi Neil,

Have you tried

<bean parent="SAML2.SSO"  p:authnContextComparison="exact">
        <property name="defaultAuthenticationMethods">
                <list>
                        <bean parent="shibboleth.SAML2AuthnContextClassRef"
                                c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
                </list>
        </property>
</bean>


in your relying-party.xml?
--
Aterea Brown, AUT University
Cybersecurity, ICT
Email: atbrown at aut.ac.nz<mailto:atbrown at aut.ac.nz> Phone: 9219999 x 6523
________________________________
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of McLennan, Neil R <n.mclennan at imperial.ac.uk<mailto:n.mclennan at imperial.ac.uk>>
Sent: Saturday, 27 November 2021 2:12 AM
To: 'Shib Users' <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Changing IDP4 SAML Authentication RequestedAuthnContext Comparison value

Has anybody worked out how to alter the RequestedAuthnContext for SAML authentication so that   <saml2p:RequestedAuthnContext Comparison="exact"> ?

As per the useful https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fspaces%2FIDP4%2Fpages%2F1265631678%2FRelyingPartyConfiguration&data=04%7C01%7Catbrown%40aut.ac.nz%7C90cddda4048244a638d108d9b0de7504%7C5e022ca15c044f878db7d588726274e3%7C1%7C0%7C637735292245553131%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4f9NFeBFW8bEPhvaZu1Mw2WwncUzGeWI0S4p%2F0ErIZw%3D&reserved=0 I have updated the relying party for the SAML authentication hoping it might override     <saml2p:RequestedAuthnContext Comparison="minimum"> however it remains the same

Authentication request into Shibboleth

    <saml2p:RequestedAuthnContext Comparison="minimum">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>

Outgoing  Authentication  request from Shibboleth remains as

    <saml2p:RequestedAuthnContext Comparison="minimum">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>

What am I missing in the Relying Party configuration for SAML authentication?

  <bean parent="RelyingPartyByName" c:relyingPartyIds="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsts.windows.net%2Fxxxxxxxxxxxxxxx%2F&data=04%7C01%7Catbrown%40aut.ac.nz%7C90cddda4048244a638d108d9b0de7504%7C5e022ca15c044f878db7d588726274e3%7C1%7C0%7C637735292245553131%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=jwoeFgEtcBpnd%2B%2Bwo3K0C0CUF%2BIn0YZWWIvhWffbcCo%3D&reserved=0">
          <property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO"  p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
        <property name="defaultAuthenticationMethods">
                <list>
                        <bean parent="shibboleth.SAML2AuthnContextClassRef"
                                c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
                </list>
        </property>
</bean>
 </list>
            </property>
        </bean>

However

Authentication request into Shibboleth

    <saml2p:RequestedAuthnContext Comparison="minimum">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>

Outgoing  Authentication  request from Shibboleth remains as

    <saml2p:RequestedAuthnContext Comparison="minimum">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>

Regards

Neil McLennan
--
For Consortium Member technical support, see https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=04%7C01%7Catbrown%40aut.ac.nz%7C90cddda4048244a638d108d9b0de7504%7C5e022ca15c044f878db7d588726274e3%7C1%7C0%7C637735292245553131%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sTWwy0Dyskka%2Bo7MFyFN74U59E4fZ9cBTy2DtwDxYXg%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211129/37f4ba12/attachment.htm>

More information about the users mailing list