Set AuthnContextClassRef

The SAML IdP will use urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the default value for AuthnContextClassRef. This guide will tell you how to change this to another value.

Background

The AuthnContextClassRef has to be configured manually as all authentication methods are separated from the federation protocol.

Configuration

The configurations has to be done in two steps.

Export the value to be used from the autenticator.
Configure the SAML IdP authenticator to use the exported property.

Exporting the value

The example below exports AuthnContextClassRef


{
"id": "otp",
"type": "OTPValidator",
"config": {
		"base_path": "/saml/authn",
		"context_path": "/saml/authn/otp",
		"pipe_id": "otp_validation_pipe",
		"webroot_dir": "web/authenticator/otp_validation",
		   "exports": [
			{
				"name": "AuthnContextClassRef",
				"value": "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
			}		
		]
	}
}

Configure SAML IdP authenticator

The example below includes configuration to use the value from AuthnContextClassRef in auth_context_parameter.

{
    "id": "auth00",
    "type": "SAMLIDP",
    "config": {
        "context_path": "/saml/authn/chain",
        "base_path": "/saml/authn",
        "force_re_auth": false,
        "idp": "myidp1",
        "chain": [
            {
                "id": "otp",
                "required": true
            }
        ],
        "assertion_config": [
            {
                "target_sp": [
                    "*"
                ],
                "nameid_paramter": "mail",
                "auth_context_parameter": "AuthnContextClassRef",
                "additional_attribute_parameter": [
                    "givenName"
                ],
                "pre_assertion_pipe": "pre_pipe"
            }
        ]
    }
}

Common values to use as AuthnContextClassRef

Usage

Value

Username & Password (unprotected)

urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Username & Password (protected)

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Username, Password and OTP

urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract

Certificate

urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient

BankID

urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig

PreviousAdd a Fortified ID virtual host NextWiki.js - OpenID Connect (OIDC)

Last updated 2 years ago