X509Internal module and urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport AuthnContextClassRef

GALLIANO Nicolas nicolas.galliano at dsi.cnrs.fr
Thu Jun 2 07:53:33 UTC 2022



Since we have migrated from 4.0.1 to 4.1.7 shibboleth version we have a
strange behaviour when we connect with x509 certificate (using X509Internal
through an MFA flow).

The authentication works well and users can connect with this factor but we
see in the samlresponse that the AuthnContextClassRef is always <
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport >.

In the idp logs we see now < password > instead of <
urn:oasis:names:tc:SAML:2.0:ac:classes:X509 >.

I don't understand why the IDP sends such samlresponse although the sp
doesn't ask for this authentication factor (no authnContextClassRef required
in the samlrequest) and our IDP uses the saml2.sso < classic > profile and
has no defaultAuthenticationMethods configured.

I tried with 4.2.1 and have the same behaviour.

So could you tell me if this behaviour can be caused by some idp parameters
(that i forgot or don't know) or if it can be a < bug > with versions > 4.1.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220602/5a4c9307/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6789 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20220602/5a4c9307/attachment.p7s>

More information about the users mailing list