OIDC auth method

Engström Per per.engstrom at smhi.se
Wed Oct 27 13:37:08 UTC 2021

Hello all!

My first post to this list. I’m working together with Sakib.

Would it be possible to get reference to documentation or even better an example how to get the ”acr” claim included in an AuthenticationResponse? We are currently using shibboleth-identity-provider-3.4.1 with idp-oidc-extension-distribution-1.1.0.

As we are using ”mod_auth_openidc” in Apache HTTPD at the Relying Party we have tried both suggested methods described in https://github.com/zmartzone/mod_auth_openidc/wiki/Step-up-Authentication without success.

The first method, where you add ”acr_values” to the AuthenticationRequest, leads us to the following question: How does one get ”acr_values_supported” to be included as a JSONArray in the OpenID configuration of the OpenID Connect Provider? Without knowing what values the OP supports, it is impossible to set correct values to the ”acr_values" parameter.

The second method, where you add a scope base on the currently requested location, assumes custom scope ”2factor” to be included in AuthenticationResponse, where I assume ”acr” claim to be included? How does one define such a scope? I’ve added the following to "conf/attribute-filter-oicd.xml"

    <AttributeFilterPolicy id="OPENID_AUTH">
        <PolicyRequirementRule xsi:type="oidcext:OIDCScope" value="2factor" />
        <AttributeRule attributeID="acr">
            <PermitValueRule xsi:type="ANY" />

The filter policy makes reference to an attribute with id ”acr” which I do not know how to define. Please help.


Per Engström
Systemutvecklare / Systems Developer

SMHI / Swedish Meteorological and Hydrological Institute

E-post / Email: per.engstrom at smhi.se
Tel / Phone: +46 (0)11 495 83 37
Besöksadress / Street address: Folkborgsvägen 17

27 okt. 2021 kl. 04:40 skrev Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>>:

On 10/26/21, 8:44 AM, "users on behalf of Kicic Sakib" <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> on behalf of Sakib.Kicic at smhi.se<mailto:Sakib.Kicic at smhi.se>> wrote:

  Is there any way to see on SP side in oidc token wich user authentication method was used e.g. password or

The "acr" claim contains the authentication signal.

-- Scott

For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211027/9f1478e8/attachment.htm>

More information about the users mailing list