X509Internal module and urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport AuthnContextClassRef
GALLIANO Nicolas
nicolas.galliano at dsi.cnrs.fr
Thu Jun 2 15:58:29 UTC 2022
ok thanks Scott. I understand.
I rectify what i said previously. if i comment out like that :
<util:map id="shibboleth.AuthenticationPrincipalWeightMap">
<!--
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
</key>
<value>1</value>
</entry>
-->
</util:map>
The SAML2AuthnContextClassRef is Password.
And if i comment out all the util map like that :
<!--
<util:map id="shibboleth.AuthenticationPrincipalWeightMap">
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
</key>
<value>1</value>
</entry>
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
</key>
<value>1</value>
</entry>
</util:map>
-->
the SAML2AuthnContextClassRef is PasswordProtectedTransport
About the supported principals by the mfa flow, it's the same with this configuration :
idp.authn.MFA.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password
idp.authn.MFA.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
In my comprehension as our mfa flow supports x509 and password flow the last config must good.
still investigating :)
nico
-----Message d'origine-----
De : Cantor, Scott <cantor.2 at osu.edu>
Envoyé : jeudi 2 juin 2022 16:21
À : GALLIANO Nicolas <nicolas.galliano at dsi.cnrs.fr>; Shib Users <users at shibboleth.net>
Objet : Re: X509Internal module and urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport AuthnContextClassRef
On 6/2/22, 9:40 AM, "GALLIANO Nicolas" <nicolas.galliano at dsi.cnrs.fr> wrote:
> I still looking for how i can (involuntarily) tell our idp to send
> samlresponse with the PasswordProtectedTransport SAML2AuthnContextClassRef
> even in x509 authentication context ...
I really can't help you further here, per the footer, this is member support territory.
I'm simply telling you that a) the weight map works but b) you have configured the system as a whole such that the Subject the MFA flow is producing has the PPT Principal inside it.
>From the description you gave, the only way that's possible is if the X509 flow was misconfigured with the PPT Principal as "supported" or if the MFA flow was changed to auto-add all its supported Principals into the final result, which is not the default behavior.
-- Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6789 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20220602/ca83c511/attachment.p7s>
More information about the users
mailing list