search
HomeManagement Center

Set AuthnContextClassRef

The SAML IdP will use urn:oasis:names:tc:SAML:2.0:ac:classes:Password as the default value for AuthnContextClassRef. This guide will tell you how to change this to another value.

hashtag
Background

The AuthnContextClassRef has to be configured manually as all authentication methods are separated from the federation protocol.

hashtag
Configuration

The configurations has to be done in two steps.

  1. Export the value to be used from the autenticator.

  2. Configure the SAML IdP authenticator to use the exported property.

hashtag
Exporting the value

The example below exports AuthnContextClassRef


{
"id": "otp",
"type": "OTPValidator",
"config": {
		"base_path": "/saml/authn",
		"context_path": "/saml/authn/otp",
		"pipe_id": "otp_validation_pipe",
		"webroot_dir": "web/authenticator/otp_validation",
		   "exports": [
			{
				"name": "AuthnContextClassRef",
				"value": "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
			}		
		]
	}
}

hashtag
Configure SAML IdP authenticator

The example below includes configuration to use the value from AuthnContextClassRef in auth_context_parameter.

hashtag
Common values to use as AuthnContextClassRef

Please look at https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdfarrow-up-right. Example values below:

Usage
Value

Username & Password (unprotected)

urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Username & Password (protected)

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Username, Password and OTP

urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract

Certificate

urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient

BankID

urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig

PreviousScriptEval ExamplesNextWiki.js - OpenID Connect (OIDC)

Last updated