How is SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST expected to work?

Hello,

I thought I had done this the correct way but I'm unable to get it to work so far.

Incoming SAML request from trusted SP contains

samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>id.elegnamnden.se/.../saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

I have configured option "SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST=http://id.elegnamnden.se/.../loa3 in the SP config

and in Remote IDP in NAM I have set the option "SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST=http://id.elegnamnden.se/loa/1.0/loa3 and Requested by "Use Types" and Context Comparison to "Exact"

Which if I understand things right, that would redirect users to external IDP for authentication, but it don't.

I see this error in IDP catalina log file

"Warning: Invalid resource key: Authentication error: There is either no 'Local Card' or a 'Provider Card' configured for the requested contract [null]. No prefix!"

Any suggestions?

/Lennart

  • 0

    Hi Lennart,

    here are defining options for saml2, where you can also find your option: https://www.microfocus.com/documentation/access-manager/5.0/admin/bvdbfae.html

    For example, a service provider sends an authentication request (authnrequest) to a remote identity provider. The request contains the AuthnContextClassRef attribute. The local identity provider (Identity Server) performs the following actions:

    1. Verifies the value of AuthnContextClassRef in the service provider’s SAML request.

    2. Identifies if the value matches with the SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST of any of the configured identity providers in Identity Server.

    3. When a match is found for a configured remote identity provider and it requires Identity Server to redirect the request, then Identity Server (acting as a service provider for the remote identity provider) sends the request to that trusted remote identity provider.

    But you have to check, that your identity provider has the same attribute in properties, like stated here:

    https://www.netiq.com/documentation/access-manager-45-appliance/admin/data/b1ax7qoc.html#defineoption

    How do you have your IDP configured, if you are using one?

    Also there is a possibility of using option "SAML2 REQUEST IGNORE AUTHCONTEXT" and setting it to true on Service provider, but than it can happen, that your service provider is not happy with the response and throws an error (that is what Misrosoft does for example).

    Kind regards,

    Sebastian Novak

  • 0 in reply to 

    Hello Sebastian,

    thanks for your reply.

    Yeah I have done the way that I understand documentation, I got a setup where a remote SP (my Nam lab box) is set to request a specific authncontextclassref (http://id.elegnamnden.se/loa/1.0/loa3) and Context Compariso=exact. So authn request looks like this

    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" ForceAuthn="false" ID="idbSH0X2x27_hce1zkxLu92_OUInY" IsPassive="false" IssueInstant="2024-10-22T06:25:12Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
        <saml:Issuer>https://nam.domain.com/nidp/saml2/metadata</saml:Issuer>
        <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
        <samlp:RequestedAuthnContext Comparison="exact">
            <saml:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/loa3</saml:AuthnContextClassRef>
        </samlp:RequestedAuthnContext>
    </samlp:AuthnRequest>

    In the SP configuration in NAM acting as both IDP and SP I have this specified as option

    SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST=http://id.elegnamnden.se/loa/1.0/loa3

    Have also tried with and without stepup contract in SP configuration, created a contract with Satisfiable by External Provider=true, Requested by=use types and allowable class set to http://id.elegnamnden.se/loa/1.0/loa3 and no method specified.

    I have also done the remote IDP configuration and set the option

    SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST=id.elegnamnden.se/.../loa3

    and set Requested by: use types (but no type specified) and context comparison level to exact

    I'm aware of the functionality regarding "SAML2 REQUEST IGNORE AUTHCONTEXT"

    Thanks

    /Lennart

  • 0 in reply to 

    Hi Lennart,

    Could you maybe upload SAML response you are getting from your IDP, when you have that parameter set?

    Also, if I see right, once you have "http://" in front of your ClassRef, and in some cases you don't. Could you try specifiing all the same (without http://)?

    Kind regards,

    Sebastian Novak

  • 0 in reply to 

    Hi Sebastian,

    regarding the missing http// in last response that was merely I wrote instead of copying the text, it's the correct info

    the response from remote nam IDP/SP looks like this, I have removed cert data for readable purpose

    <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://am.domain.com/nidp/saml2/spassertion_consumer" ID="idttAtEmdHfbXFNhXNwXqAodq7oAE" InResponseTo="idbSH0X2x27_hce1zkxLu92_OUInY" IssueInstant="2024-10-22T06:25:12Z" Version="2.0">
        <saml:Issuer>https://sp-idp.someotherdomain.com/nidp/saml2/metadata</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference URI="#idttAtEmdHfbXFNhXNwXqAodq7oAE">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>A2flZxwYNZLXQO6stqNt1b+yiais7q5dqFLUKP7H+f8=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
    CwHlQsQiXQvdrk2WNSXm1uhFYwS/B6Ucm3BzLOfIbz/kFj3JqYUsR/K2WdqeCj44AvQTYln6/rTf
    U6vQq/Yb+bk7XvWmFO27eWsbBevT50sjaUa3pQKfIdpWM/iRhb42adjiVGVMhnjIOH+5DUHyc2nh
    x4PLwOlSjrCYLOEP3dlcRRyRZOsWaH/DFWg5oN8RWumK6bjDuernGCpX5e1IgCLIWfTGloMZnYdE
    yJ3NXEk5OI2FUy8XuomYe7NmNDotTske3UGWA/0c85QikfLaAbjms9U3ewA4LTwjZp/txSXiaEg3
    iV6yDqohSM597UfaeHuB+EyzOTVK/oNivm0IhA==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <samlp:Status>
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/></samlp:StatusCode>
            </samlp:Status>
        </samlp:Response>

    /Lennart

  • 0 in reply to 

    Dear Lennart,

    what are you using as authentication class on your remote IDP? Did you maybe try with secure username password form? Try this first, so we can see if it is overall issue, or just on some classses. Whan I am using Secure UP class I get some context, but with some I could not get it also.

    With kind regards,

    Sebastian Novak

  • 0 in reply to 

    Hi,

    I have tried with using method secure username/password form in that contract and then authentication is working

    /Lennart

  • 0 in reply to 

    Hi Lennart,

    so if You use secure username/password, the IDP returns parameter specified in parameter "SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST"?

     

    Kind regards,

    Sebastian Novak

  • 0 in reply to 

    yes

    /Lennart

  • 0 in reply to 

    But then it's only handled by customer NAM, the idea is to use (from customer sp/IDP perspective) external IDP that is authenticating users with a Swedish E-id.

    So we want the request to get redirected to that IDP,

    /Lennart

  • Suggested Answer

    0 in reply to 

    Great, I figured out before, that this context is being called with getType() method in classes and it is mostly hardcoded, but in some you can get the right context in some you cannot. Maybe someone could open an SR regarding this bug?

    Kind regards,

    Sebastian Novak