Giving an SP the authnContextClassRef they asked for

Wessel, Keith kwessel at illinois.edu
Wed Jan 12 20:47:35 UTC 2022 

Hi, all,

This might be default behavior in the IdP that I've broken with the magic I'm pulling off to reverse map ADFS claims to authnContextClassRef values with my SAML proxy, but I'm not sure of that.

The situation is this: we've got an SP that is explicitly requesting password in its authn request:

<samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

Foolishly, the vendor (Infoblox) has this hard coded in their requests. There's no way to turn it off and no way to change the requested context. However, since this is our IP allocation and DNS appliance, we want MFA to be used. I had this working when we were using the IdP's built-in password flow and the MFA flow by simply removing the password method from a user's allowed methods. The IdP then did an MFA authentication and responded to the SP with success. I'm not sure if it was responding with an MFA authnContextClassRef or a password one, but regardless, the SP was happy. Since my MFA flow and second factor script are no longer coming into play with our proxying everything to ADFS, that logic no longer gets used.

The IdP is proxying the request to ADFS which may or may not do MFA. I have a way of forcing MFA over there, no big deal. But when MFA is done, ADFS is returning a claim to the IdP saying that it was done which the IdP is mapping to a Refeds MFA authnContextClassRef. At that point, for this particular SP, things break. The logs state that the authentication didn't satisfy the request.

Is there anything I can do with a relying party override at this point for this particular SP? Can I set an authnContextComparison to "better" and make it happy? I'm assuming, because of the request that's coming in, the IdP is setting it to "exact".

Or do I need to create an authnContextTranslationStrategy bean that manually maps it back to urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport?

Thanks,
Keith

More information about the users mailing list