unity-idm-discuss

[Unity-idm-discuss] supported saml authcontextclasses

[Sander A. <sa....@fz...>]

Dear Krzysztof,
is there a limitation in the supported authnContextClasses? We have a
client which requires a context class in their configuration. They
tried different which seems to fit but their receive just the message
"This implementation doesn't support requests with
RequestedAuthnContext set." Or does this message mean that service
providers must not set this?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] supported saml authcontextclasses

[Krzysztof B. <kb...@un...>]

Dear Sander,

W dniu 2.12.2022 o 12:43, Sander Apweiler pisze:
> Dear Krzysztof,
> is there a limitation in the supported authnContextClasses? We have a
> client which requires a context class in their configuration. They
> tried different which seems to fit but their receive just the message
> "This implementation doesn't support requests with
> RequestedAuthnContext set." Or does this message mean that service
> providers must not set this?

Yes, Unity does not support *requesting* authN context. Requesting authN 
context is a gigantic framework which governs which authN options user 
should get. This is very orthogonal to approach where Unity admin 
controls how to authenticate the user.

Supporting that (even in very limited form, as this part of SAML is 
almost endless) would be a bigger work I'm afraid.

What I think we can implement with a fairly low effort would be to 
support requesting the "unspecified" saml authn context. I'd need to 
verify it though (i.e. whether it is allowed).

Best,
Krzysztof