Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SAML2 SSO: AuthnContext Class Schemas: "PasswordProtectedTransport" vs "unspecified"

Tags:

metadata

single-sign-on

saml

saml-2.0

BACKGROUND:

My company is acting as the Service Provider to our clients that are the IDP. We use OpenAM, but our clients use ADFS or Shibboleth. We exchange metadata files for establishing federations, not URLS. A client asked why we require an AuthnContext class schema (specifically PasswordProtectedTransport), and not only do we not know why, we don't know how to change it or what that would mean.

QUESTION:

What is the functional difference between using "PasswordProtectedTransport" vs "unspecified" for the AuthnContextClassRef in a SAML2 assertion?

We currently use PasswordProtectedTransport amongst all our clients, but no one at my company can tell me why we require this. If we remove it, the federation stops working with a 500 error and a "NoAuthnContext" in the SAML trace. We also don't understand that, as I was led to believe from SAML documentation that having a schema is optional for the authentication. Even so, I saw no explanation anywhere of what the implications of using "unspecified" would be.

I can’t find any thorough explanation or discussion anywhere about this topic and was hoping someone could elaborate for me, as I am struggling to find light on this.

like image 746
Technical_Analyst Avatar asked Mar 02 '15 15:03

Technical_Analyst

1 Answers

RequestedAuthnContext in a request is a mean for a SP to ask the IDP to authenticate the user with a specific authentication mechanism.
For example, if you specify PasswordProtectedTransport in your request, the IDP knows it has to authenticate the user through login/password, protected by SSL/TLS.
The IDP says in its response which mechanism it used to authenticate the user through AuthnContextClassRef.

RequestedAuthnContext in a request is optional, but AuthnContextClassRef in the assertion is mandatory as specified by the SAML schema (hence the 500 error you encountered).
Basically, the unspecified URN is used by the IDP to say "I don't want to tell you how I identified the user".
As a SP, you have the choice to accept that answer or reject it, if you want to ensure that the user is authenticated with a secure mechanism.

like image 155
sk_ Avatar answered Dec 28 '22 20:12

sk_
Sign in to Comment

Related questions

How to integrate AD authentication + SSO with exsisting Forms authenticated Saas web application
HTTP-Redirect Binding SAML Request
In an multi-tenant enviroment how can I provide different metadata for different Service Providers at runtime on different urls (subdomains)?
How to get Service Token from Kerberos using SSPI
Test Google SSO SAML on Localhost
Free PHP framework/library for single-sign on / cross domain login [closed]
Active tab ignored by InternetExplorer COM object for IE 8
Web Application and REST services SSO in tomcat and spring-security
How to enable saml 2.0 sso in asp.net website
WAAD Authentication with WebAPI OData service consumed by Excel PowerQuery
Sharing Authentication Cookie in ASP.NET 5 across subdomains
How can I simulate an identity providers for SAML?
WIF, STS and Membership tables
How to validate WS-Federation SAML tokens with Java Service Provider
PingFederate and NGinx integration and deployment options
SAMLException: Response has invalid status code status message is null
Is it possible to do sso for http://aws.amazon.com using saml?
How to authenticate domains on apache with google apps
Facebook android sdk 3.0 SSO
Single Sign on With WIF

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!