Can you suppress AuthnContextDeclRef in a SAML2 assertion?


I am setting up a SAML 2 Service Provider. I am the Identity Provider

In the SAML Assertion I post there is this

<saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>

<saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
</saml:AuthnContext>

The Service Provider indicated that they cannot have the URI
(AuthnContextDeclRef) in the Assertion:

<saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>

The error they provided to me is this:

System.InvalidOperationException: ID4180: A SAML2 assertion that
specifies an AuthenticationContext DeclarationReference is not
supported. To handle DeclarationReference, extend the
Saml2SecurityTokenHandler and override ProcessAuthenticationStatement.

Is there a way to suppress/remove the AuthnContextDeclRef in the SAML
Assertion? And it would only be for this specific Service Provider. All
of the others are fine with the AuthnContextDeclRef in the assertion.

Thanks,
Martin


--
martintduffy
------------------------------------------------------------------------
martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
View this thread: https://forums.netiq.com/showthread.php?t=56089


  • I was thinking that if there is no option to not send the
    AuthnContextDeclRef in the service provider configuration,

    might there be a directive that I could include in the Service provider
    metadata that would indicated not to send the AuthnContextDeclRef?


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089

  • martintduffy;2432316 wrote:
    I am setting up a SAML 2 Service Provider. I am the Identity Provider

    In the SAML Assertion I post there is this

    <saml:AuthnContext>

    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>

    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    </saml:AuthnContext>

    The Service Provider indicated that they cannot have the URI
    (AuthnContextDeclRef) in the Assertion:

    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>

    The error they provided to me is this:

    System.InvalidOperationException: ID4180: A SAML2 assertion that
    specifies an AuthenticationContext DeclarationReference is not
    supported. To handle DeclarationReference, extend the
    Saml2SecurityTokenHandler and override ProcessAuthenticationStatement.

    Is there a way to suppress/remove the AuthnContextDeclRef in the SAML
    Assertion? And it would only be for this specific Service Provider. All
    of the others are fine with the AuthnContextDeclRef in the assertion.

    Thanks,
    Martin


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089


    I don't see anything in the docs for the SAML "options" that would disable that. (there are documented SAML options, just didn't see one for that setting).

    Maybe Edward knows.

    --Kevin
  • martintduffy wrote:

    >
    > I am setting up a SAML 2 Service Provider. I am the Identity Provider
    >
    > In the SAML Assertion I post there is this
    >
    > <saml:AuthnContext>
    >
    > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerb
    > eros</saml:AuthnContextClassRef>
    >
    >

    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    > </saml:AuthnContext>
    >
    > The Service Provider indicated that they cannot have the URI
    > (AuthnContextDeclRef) in the Assertion:
    >
    >

    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>

    Ask them what they want in this value.
    On your side create a new local authentication contract where the URI
    has this value.

    Use that contract to authenticate the users.
  • kjhurni wrote:


    > I don't see anything in the docs for the SAML "options" that would
    > disable that. (there are documented SAML options, just didn't see one
    > for that setting).
    >
    > Maybe Edward knows.
    >
    > --Kevin


    I reckon the best bet will be what Alex is suggesting. You can't remove
    it from the token from what I know.

    --
    Cheers,
    Edward

  • alexmchugh;268983 Wrote:
    > martintduffy wrote:
    >
    > >
    > > I am setting up a SAML 2 Service Provider. I am the Identity Provider
    > >
    > > In the SAML Assertion I post there is this
    > >
    > > <saml:AuthnContext>
    > >
    > >

    > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerb
    > > eros</saml:AuthnContextClassRef>
    > >
    > >

    > <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    > > </saml:AuthnContext>
    > >
    > > The Service Provider indicated that they cannot have the URI
    > > (AuthnContextDeclRef) in the Assertion:
    > >
    > >

    > <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    >
    > Ask them what they want in this value.
    > On your side create a new local authentication contract where the URI
    > has this value.
    >
    > Use that contract to authenticate the users.


    actually they do not want it to be in the assertion at all.

    they want it to look like this

    <saml:AuthnContext>

    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>
    </saml:AuthnContext>


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089

  • Interesting, apparently this has come up before:

    https://lists.oasis-open.org/archives/security-services/200703/msg00004.html

    http://markmail.org/message/x5sgz3fpj42xtuwr?q=AuthnContextDeclRef list:org.oasis-open.lists.security-services#query:AuthnContextDeclRef list:org.oasis-open.lists.security-services page:1 mid:wph2ajgsuwvzuxaf state:results

    Now THIS one here is interesting, as if I read it correctly, it's the SP that actually requests this:

    https://forums.netiq.com/archive/index.php/t-47478.html

    Where exactly is this configurable at? When this have to be done on the 3rd party SP side

    Yes, the value in AuthnContextDeclRef is chosen/set by the 3rd party SP. NAM will honour the RequestedAuthnContext if it can actually find a local contract that matches the URI specified. Otherwise it will use the default configured contract.

    It's the SP's responsibility to specify what kind of auth context they expect and also to validate the auth context returned by the IDP. I've seen plenty of implementations that fail to do either.
  • kjhurni <kjhurni@no-mx.forums.microfocus.com> wrote:
    >
    >
    > Now THIS one here is interesting, as if I read it correctly, it's the SP

    that actually requests this:
    >



    This is true (makes total sense from a design perspective) and so few
    implementations actually do this. That is why I am so surprised to hear of
    a SP that chokes on a value.

    Regardless the best approach is as I suggested.

    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...

  • While there can be a request for a specific authentication contract in a
    SAML Request from the Service Provider it is not required to be in the
    Request and in this case the Service Provider has nothing in the Request
    concerning an Authentication Contract URI. That being said - they choke
    when there is any Authentication Contract in the SAML Assertion. Their
    error message specifically says that a Authentication Contract URI in
    the SAML Assertion is not supported.

    It is supposed to be optional to include an Authentication Contract URI
    in the SAML Assertion but there does not seem to be any option in NAM
    for - don't send the Authentication Contract URI.

    This is actually the second SP that I worked with that does not allow an
    Authentication Contract URI in the SAML Assertion. I think that the
    problem is that the SP is a custom coded SP using Microsoft Technology.
    MS gives you a basic framework and you build as little as possible and
    one of the things about the basic framework is that it does not support
    Authentication Contract URIs in the SAML Assertion.


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089

  • martintduffy;2432498 wrote:
    While there can be a request for a specific authentication contract in a
    SAML Request from the Service Provider it is not required to be in the
    Request and in this case the Service Provider has nothing in the Request
    concerning an Authentication Contract URI. That being said - they choke
    when there is any Authentication Contract in the SAML Assertion. Their
    error message specifically says that a Authentication Contract URI in
    the SAML Assertion is not supported.

    It is supposed to be optional to include an Authentication Contract URI
    in the SAML Assertion but there does not seem to be any option in NAM
    for - don't send the Authentication Contract URI.

    This is actually the second SP that I worked with that does not allow an
    Authentication Contract URI in the SAML Assertion. I think that the
    problem is that the SP is a custom coded SP using Microsoft Technology.
    MS gives you a basic framework and you build as little as possible and
    one of the things about the basic framework is that it does not support
    Authentication Contract URIs in the SAML Assertion.


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089


    I ran across some technet articles or something where MS states how to add that, so I know that if it's an "MS thingy" it's supported/doable.

    But I couldn't find anything in the OASIS docs/specs where it was listed as a "no no" to include it or not. And there's nothing I could find that specified that if the SP didn't ask for something that the IDP shouldn't include it, so it seems very up-in-the-air for things like this.

    But hopefully Alex' solution works for you.

    --Kevin

  • The problem is that you cannot create a contract without a URI which is
    what I think that Adam is suggesting. The SP wants nothing. In fact they
    don't want just no URI they do not want the tags. Below is exactly what
    they want. There are no AuthnContextDeclRef tags or anything.

    <saml:AuthnContext>

    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:ProtectedPasswordTransport</saml:AuthnContextClassRef>
    </saml:AuthnContext>


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089