Ideally SPs that require a particular assurance level will initiate the assurance flow by including the desired IAQ in the <samlp:AuthnRequest>
element.
SPs will receive IAQs (either in response to a specific request, or sent unsolicited) in assertions from IdPs. SPs should use metadata to check that the IdP is authorized to assert the IAQs being asserting.
SPs will rely on local policy to decide how to handle incoming IAQs. For example if the SP requires InCommon Bronze but receives InCommon Silver, that is probably acceptable.
authnContextClassRef
setting to control the value requested when particular resources are accessed. To include multiple values in a request, the AuthnRequest "template" mechanism described in the SessionInitiator documentation can be used.<saml:Attribute>
elements in IdP metadata. Other approaches?
This example shows how a Shibboleth Service Provider can request a silver-test
IAQ from an IdP. First, the SP must consume IdP metadata.
<Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="assurance-certification"/> |
<saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
element in the IdP's metadata.<ApplicationDefaults>
element:
metadataAttributePrefix="Meta-" |
<ApplicationDefaults>
element with the following:
<ApplicationDefaults id="default" policyId="default" entityID="https://example.org/shibboleth" REMOTE_USER="persistent-id targeted-id eppn" signing="false" encryption="false" homeURL="https://example.org/" metadataAttributePrefix="Meta-"> |
HTTP_META_
and allow the SP software to automatically populate the Apache server environment with IAQs from the IdP's metadata. This is useful for the SP to programmatically determine which assurance attributes are valid from the IdP.One way for the SP to request silver-test
IAQ from the IdP is to use the authnContextClassRef
query string parameter to create the session.
Location: https://sp.example.org/Shibboleth.sso/Login? target=https%3A%2F%2Fsp.example.org%2Fsecure%2Fresource.asp& entityID=https%3A%2F%2Fidp.example.org%2Fidp%2Fshibboleth& authnContextClassRef=http%3A%2F%2Fid.incommon.org%2Fassurance%2Fsilver-test |
Upon successful authentication from the IdP, the secure SP session should contain the following environment variables:
HTTP_SHIB_AUTHENTICATION_METHOD http://id.incommon.org/assurance/silver-test HTTP_META_ASSURANCE_CERTIFICATION http://id.incommon.org/assurance/silver-test;http://id.incommon.org/assurance/bronze-test |
Contrast this with the same session initiation without the authnContextClassRef
parameter:
HTTP_SHIB_AUTHENTICATION_METHOD urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport HTTP_META_ASSURANCE_CERTIFICATION http://id.incommon.org/assurance/silver-test;http://id.incommon.org/assurance/bronze-test |
Note that if you attempt to pass the authnContextClassRef
parameter to an IdP that has not been properly configured, you will most likely receive an opensaml::FatalProfileException
error.