Home
Integrity
Control
Solutions

Set AuthnContextClassRef

The SAML IdP will use urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the default value for AuthnContextClassRef. This guide will tell you how to change this to another value.

Background

The AuthnContextClassRef has to be configured manually as all authentication methods are separated from the federation protocol.

Configuration

The configurations has to be done in two steps.

  1. Export the value to be used from the autenticator.

  2. Configure the SAML IdP authenticator to use the exported property.

Exporting the value

The example below exports AuthnContextClassRef


{
"id": "otp",
"type": "OTPValidator",
"config": {
		"base_path": "/saml/authn",
		"context_path": "/saml/authn/otp",
		"pipe_id": "otp_validation_pipe",
		"webroot_dir": "web/authenticator/otp_validation",
		   "exports": [
			{
				"name": "AuthnContextClassRef",
				"value": "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
			}		
		]
	}
}

Configure SAML IdP authenticator

The example below includes configuration to use the value from AuthnContextClassRef in auth_context_parameter.

{
    "id": "auth00",
    "type": "SAMLIDP",
    "config": {
        "context_path": "/saml/authn/chain",
        "base_path": "/saml/authn",
        "force_re_auth": false,
        "idp": "myidp1",
        "chain": [
            {
                "id": "otp",
                "required": true
            }
        ],
        "assertion_config": [
            {
                "target_sp": [
                    "*"
                ],
                "nameid_paramter": "mail",
                "auth_context_parameter": "AuthnContextClassRef",
                "additional_attribute_parameter": [
                    "givenName"
                ],
                "pre_assertion_pipe": "pre_pipe"
            }
        ]
    }
}

Common values to use as AuthnContextClassRef

Please look at https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf. Example values below:

PreviousAdd a Fortified ID virtual host

Last updated