X509Internal module and urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport AuthnContextClassRef

GALLIANO Nicolas nicolas.galliano at dsi.cnrs.fr
Thu Jun 2 13:40:21 UTC 2022 

Thanks Scott for your answer.

Little more détails about our mfa flow :

It works with the x509internal and password flow
If no forceauthn is required the x509 is tried and success if an x509
certificate is provided
Then we try to resolve and verify an attribute to be sure the mail extracted
from the x509 really exists in our ldap
If true the mfa flow ends and authentication is done (with the Canonical
principal name extracted by the c14n/x500 flow) 
Else the password flow is called.

There no matter in the mfa flow : users can authenticate by x509 certificate
or by login/password but this behaviour remains strange
I attached some debug logs to summarize it.

Yes I saw the shibboleth.AuthenticationPrincipalWeightMap util map present
and active in the authn-comparison.xml file.
I tried to inhibate the "shibboleth.SAML2AuthnContextClassRef" entry and
after tomcat restart nothing changed :(

    <util:map id="shibboleth.AuthenticationPrincipalWeightMap">
<!-- 
        <entry>
            <key>
                <bean parent="shibboleth.SAML2AuthnContextClassRef"
 
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTranspor
t" />
            </key>
            <value>1</value>
        </entry>
-->
    </util:map>
 
I still looking for how i can (involuntarily) tell our idp to send
samlresponse with the PasswordProtectedTransport SAML2AuthnContextClassRef
even in x509 authentication context ...

Thanks.
nico

-----Message d'origine-----
De : users <users-bounces at shibboleth.net> De la part de Cantor, Scott via
users
Envoyé : jeudi 2 juin 2022 14:37
À : Shib Users <users at shibboleth.net>
Cc : Cantor, Scott <cantor.2 at osu.edu>
Objet : Re: X509Internal module and
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
AuthnContextClassRef

If you get that context out it's because you told the IdP to support it and
to add it into the Subject. When multiple context class Principals are
present in the Subject and nothing is requested, which one is expressed is
not specified, unless you adjust the
shibboleth.AuthenticationPrincipalWeightMap bean to differentiate which ones
should outrank others.

X509/X509Internal do not claim to support that context class out of the box,
so you either put it there or something else is being done incorrectly.

-- Scott


-- 
For Consortium Member technical support, see
https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: shibb_4.1.7.txt
URL: <http://shibboleth.net/pipermail/users/attachments/20220602/8758b5bc/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6789 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20220602/8758b5bc/attachment.p7s>

More information about the users mailing list