Re: [saml-dev] AuthnContext for WebSSO

On Wed, Jul 15, 2015 at 10:40 PM, prabhat chaturvedi <chaturvedi.prabhat@gmail.com> wrote:

Hi,

Recently we being an SP, are integrating with an IdP which has got some of the stuff doubtful from spec perspective.

Despite going through the spec and citing the sections, they are interpreting it differently.

Kindly verify my understanding:

1) Can IdP send unspecified(urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified) authnContext, if the Authentication for WebSSO use-case happens using username/password over HTTPS.
As per spec, it says it should send PasswordProtected if its password based authentication over HTTPS. We at SP are looking for PasswordProtected AuthnContext and we fail the assertion.

I don't see why not. If I was an IdP I don't see any reason why I need to specifically tell you the SP that the person I authenticated was using a password. If I didn't trust the SP explicitly I may not want to give you that information.

2)We being an SP also send Required AuthnContext (which is PasswordProtected) in SAMLRequest, in this case, if IdP does not support this AuthnContext,
it should reply with NoAuthContext. But IdP still sends the unspecified AuthnContext.

I don't think the specification says the IdP must reply with no auth context.

Line 133: http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf

"Such context may include, but is not limited to, the actual authentication method used" ... so it doesn't have to include it.

3)Can unspecified AuthnContext be used for any reason? As per spec it should be used for unspecified means of Authentication.
This IdP is using unspecified for all the case.

I've seen it used for a variety of reasons. To hide information from the SP for security reasons being one example.

They are asking us to not send RequestedAuthnContext which is optional. We being a SP had already integrated with well known IdPs and do not want to do this change
for only this IdP.
--
Regards

Prabhat

saml-dev message