How is SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST expected to work?

Hello,

I thought I had done this the correct way but I'm unable to get it to work so far.

Incoming SAML request from trusted SP contains

samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>id.elegnamnden.se/.../saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

I have configured option "SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST=http://id.elegnamnden.se/.../loa3 in the SP config

and in Remote IDP in NAM I have set the option "SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST=http://id.elegnamnden.se/loa/1.0/loa3 and Requested by "Use Types" and Context Comparison to "Exact"

Which if I understand things right, that would redirect users to external IDP for authentication, but it don't.

I see this error in IDP catalina log file

"Warning: Invalid resource key: Authentication error: There is either no 'Local Card' or a 'Provider Card' configured for the requested contract [null]. No prefix!"

Any suggestions?

/Lennart

Labels:

Access Manager
Parents
  • 0

    Hi Lennart,

    here are defining options for saml2, where you can also find your option: https://www.microfocus.com/documentation/access-manager/5.0/admin/bvdbfae.html

    For example, a service provider sends an authentication request (authnrequest) to a remote identity provider. The request contains the AuthnContextClassRef attribute. The local identity provider (Identity Server) performs the following actions:

    1. Verifies the value of AuthnContextClassRef in the service provider’s SAML request.

    2. Identifies if the value matches with the SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST of any of the configured identity providers in Identity Server.

    3. When a match is found for a configured remote identity provider and it requires Identity Server to redirect the request, then Identity Server (acting as a service provider for the remote identity provider) sends the request to that trusted remote identity provider.

    But you have to check, that your identity provider has the same attribute in properties, like stated here:

    https://www.netiq.com/documentation/access-manager-45-appliance/admin/data/b1ax7qoc.html#defineoption

    How do you have your IDP configured, if you are using one?

    Also there is a possibility of using option "SAML2 REQUEST IGNORE AUTHCONTEXT" and setting it to true on Service provider, but than it can happen, that your service provider is not happy with the response and throws an error (that is what Misrosoft does for example).

    Kind regards,

    Sebastian Novak

Reply
  • 0

    Hi Lennart,

    here are defining options for saml2, where you can also find your option: https://www.microfocus.com/documentation/access-manager/5.0/admin/bvdbfae.html

    For example, a service provider sends an authentication request (authnrequest) to a remote identity provider. The request contains the AuthnContextClassRef attribute. The local identity provider (Identity Server) performs the following actions:

    1. Verifies the value of AuthnContextClassRef in the service provider’s SAML request.

    2. Identifies if the value matches with the SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST of any of the configured identity providers in Identity Server.

    3. When a match is found for a configured remote identity provider and it requires Identity Server to redirect the request, then Identity Server (acting as a service provider for the remote identity provider) sends the request to that trusted remote identity provider.

    But you have to check, that your identity provider has the same attribute in properties, like stated here:

    https://www.netiq.com/documentation/access-manager-45-appliance/admin/data/b1ax7qoc.html#defineoption

    How do you have your IDP configured, if you are using one?

    Also there is a possibility of using option "SAML2 REQUEST IGNORE AUTHCONTEXT" and setting it to true on Service provider, but than it can happen, that your service provider is not happy with the response and throws an error (that is what Misrosoft does for example).

    Kind regards,

    Sebastian Novak

Children
  • 0 in reply to 

    Hello Sebastian,

    thanks for your reply.

    Yeah I have done the way that I understand documentation, I got a setup where a remote SP (my Nam lab box) is set to request a specific authncontextclassref (http://id.elegnamnden.se/loa/1.0/loa3) and Context Compariso=exact. So authn request looks like this

    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" ForceAuthn="false" ID="idbSH0X2x27_hce1zkxLu92_OUInY" IsPassive="false" IssueInstant="2024-10-22T06:25:12Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
        <saml:Issuer>https://nam.domain.com/nidp/saml2/metadata</saml:Issuer>
        <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
        <samlp:RequestedAuthnContext Comparison="exact">
            <saml:AuthnContextClassRef>http://id.elegnamnden.se/loa/1.0/loa3</saml:AuthnContextClassRef>
        </samlp:RequestedAuthnContext>
    </samlp:AuthnRequest>

    In the SP configuration in NAM acting as both IDP and SP I have this specified as option

    SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST=http://id.elegnamnden.se/loa/1.0/loa3

    Have also tried with and without stepup contract in SP configuration, created a contract with Satisfiable by External Provider=true, Requested by=use types and allowable class set to http://id.elegnamnden.se/loa/1.0/loa3 and no method specified.

    I have also done the remote IDP configuration and set the option

    SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST=id.elegnamnden.se/.../loa3

    and set Requested by: use types (but no type specified) and context comparison level to exact

    I'm aware of the functionality regarding "SAML2 REQUEST IGNORE AUTHCONTEXT"

    Thanks

    /Lennart