OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] AuthnContext for WebSSO

NoAuthnContext should be returned if IdP does not support that AuthnContext

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Element <RequestedAuthnContext>

Line: 1815: Either a set of class references or a set of declaration references can be used. The set of supplied

references MUST be evaluated as an ordered set, where the first element is the most preferred

authentication context class or declaration. If none of the specified classes or declarations can be satisfied

in accordance with the rules below, then the responder MUST return a <Response> message with a

second-level <StatusCode> of urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext.

On Thu, Jul 16, 2015 at 11:41 AM, Jeff Tchang <jeff.tchang@gmail.com> wrote:

On Wed, Jul 15, 2015 at 10:40 PM, prabhat chaturvedi <chaturvedi.prabhat@gmail.com> wrote:

Recently we being an SP, are integrating with an IdP which has got some of the stuff doubtful from spec perspective. 

Despite going through the spec and citing the sections, they are interpreting it differently.

Kindly verify my understanding:

1) Can IdP send unspecified(urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified) authnContext, if the Authentication for WebSSO use-case happens using username/password over HTTPS.
As per spec, it says it should send PasswordProtected if its password based authentication over HTTPS. We at SP are looking for PasswordProtected AuthnContext and we fail the assertion.

I don't see why not. If I was an IdP I don't see any reason why I need to specifically tell you the SP that the person I authenticated was using a password. If I didn't trust the SP explicitly I may not want to give you that information.

2)We being an SP also send Required AuthnContext (which is PasswordProtected) in SAMLRequest, in this case, if IdP does not support this AuthnContext,
 it should reply with NoAuthContext. But IdP still sends the unspecified AuthnContext.

I don't think the specification says the IdP must reply with no auth context.

"Such context may include, but is not limited to, the actual authentication method used" ... so it doesn't have to include it.
3)Can unspecified AuthnContext be used for any reason? As per spec it should be used for unspecified means of Authentication.
This IdP is using unspecified for all the case.

I've seen it used for a variety of reasons. To hide information from the SP for security reasons being one example.
They are asking us to not send RequestedAuthnContext which is optional. We being a SP had already integrated with well known IdPs and do not want to do this change 
for only this IdP.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]