AuthnContextClassRef - Password vs PasswordProtectedTransport

Donald Lohr lohrda at jmu.edu
Thu Jul 28 21:00:25 UTC 2022


By default our IdP is configured:

1) All user's SSO login first with their loginID/password and if 
successful...
2) Then all users do MFA and if successful...
3) The user's browser is redirected to the SP.

So far, we've not had any SP vendors require an acknowledgement of what 
our auth model is.

Thanks,
Don

On 7/28/22 2:24 PM, Nate Klingenstein wrote:
> CAUTION: This email originated from outside of JMU. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> ________________________________
>
> Donald,
>
> The answer's a little nuanced.  The request is generated (typically) by the SP, which can specify the mechanism by which it would like users to be authenticated using the class reference as an identifier.  The IdP is responsible for meeting that level of authentication in its interpretation and responding with an assertion with the same level of authentication.
>
> Without checking, IIRC, the IdP out of the box considers password over TLS, which is PasswordProtectedTransport, to also meet the requirements of Password, which is basically the bare minimum.
>
> There's also the ability for an SP to request "better than", "at least", and other things, but those are rarely used.
>
> You only really have to start understanding this when you start dealing with MFA or really wonky vendors.
>
> Hope this helps,
> Nate
>
> --------
> Signet, Inc.
> The Art of Access ®
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.signet.id&d=DwIFaQ&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=Pa2DB88IW_s2TyLfktHtWA&m=4kXPLeSzoycYR_mvhPTc1YL-RC2LW0lRfq756wJXc8_pKRLuPK8nr-05uYUcSJk4&s=Uyq1TcWqikzbP903rHMrGBpPvjjnjcQtDPFvrLE9Nhw&e=
>
> -----Original message-----
> From: Donald Lohr via users
> Sent: Thursday, July 28 2022, 7:58 am
> To: Shib Users
> Cc: Donald Lohr
> Subject: AuthnContextClassRef - Password vs PasswordProtectedTransport
>
> Using the SAML tracer
>        plugin for Firefox, on the SAML/POST entry after successfully
>        providing my credentials (SSO login to an SP) I see:
>
>      <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
>        </saml2:AuthnContext>
>
>          For some SP logins I see:
>
>      <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
>          </saml2:AuthnContext>
>
>        All I've been able to find thus far as an explanation is the
>        following:
>
>        The Password class is applicable when a principal
>        authenticates to an authentication authority through the
>        presentation of a password over an unprotected HTTP session.
>
>        The PasswordProtectedTransport class is applicable when a
>        principal authenticates to an authentication authority through the
>        presentation of a password over a protected session.
>
>        Is Password or PasswordProtectedTransport controlled by how
>          the SP is configured on the IdP side?
>
>          Thanks,
>
>          Don
>
> --
> D o n a l d   L o h r
> I n f o r m a t i o n   S y s t e m s
> J a m e s   M a d i s o n   U n i v e r s i t y
> 5 4 0 . 5 6 8 . 3 7 3 0
>
> --
>
> For Consortium Member technical support, seehttps://urldefense.proofpoint.com/v2/url?u=https-3A__shibboleth.atlassian.net_wiki_x_ZYEpPw&d=DwIFaQ&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=Pa2DB88IW_s2TyLfktHtWA&m=4kXPLeSzoycYR_mvhPTc1YL-RC2LW0lRfq756wJXc8_pKRLuPK8nr-05uYUcSJk4&s=Ee0_WNK1yOvhAs33bnyOz9XJ_yMcXsiBbzvughVH6Ls&e=
>
> To unsubscribe from this list send an email tousers-unsubscribe at shibboleth.net
>
>

-- 
D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220728/b7273a31/attachment.htm>


More information about the users mailing list