Can you suppress AuthnContextDeclRef in a SAML2 assertion?


I am setting up a SAML 2 Service Provider. I am the Identity Provider

In the SAML Assertion I post there is this

<saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>

<saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
</saml:AuthnContext>

The Service Provider indicated that they cannot have the URI
(AuthnContextDeclRef) in the Assertion:

<saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>

The error they provided to me is this:

System.InvalidOperationException: ID4180: A SAML2 assertion that
specifies an AuthenticationContext DeclarationReference is not
supported. To handle DeclarationReference, extend the
Saml2SecurityTokenHandler and override ProcessAuthenticationStatement.

Is there a way to suppress/remove the AuthnContextDeclRef in the SAML
Assertion? And it would only be for this specific Service Provider. All
of the others are fine with the AuthnContextDeclRef in the assertion.

Thanks,
Martin


--
martintduffy
------------------------------------------------------------------------
martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
View this thread: https://forums.netiq.com/showthread.php?t=56089

Parents
  • martintduffy wrote:

    >
    > I am setting up a SAML 2 Service Provider. I am the Identity Provider
    >
    > In the SAML Assertion I post there is this
    >
    > <saml:AuthnContext>
    >
    > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerb
    > eros</saml:AuthnContextClassRef>
    >
    >

    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    > </saml:AuthnContext>
    >
    > The Service Provider indicated that they cannot have the URI
    > (AuthnContextDeclRef) in the Assertion:
    >
    >

    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>

    Ask them what they want in this value.
    On your side create a new local authentication contract where the URI
    has this value.

    Use that contract to authenticate the users.

  • alexmchugh;268983 Wrote:
    > martintduffy wrote:
    >
    > >
    > > I am setting up a SAML 2 Service Provider. I am the Identity Provider
    > >
    > > In the SAML Assertion I post there is this
    > >
    > > <saml:AuthnContext>
    > >
    > >

    > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerb
    > > eros</saml:AuthnContextClassRef>
    > >
    > >

    > <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    > > </saml:AuthnContext>
    > >
    > > The Service Provider indicated that they cannot have the URI
    > > (AuthnContextDeclRef) in the Assertion:
    > >
    > >

    > <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    >
    > Ask them what they want in this value.
    > On your side create a new local authentication contract where the URI
    > has this value.
    >
    > Use that contract to authenticate the users.


    actually they do not want it to be in the assertion at all.

    they want it to look like this

    <saml:AuthnContext>

    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>
    </saml:AuthnContext>


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089

  • martintduffy wrote:

    >
    > alexmchugh;268983 Wrote:
    > > martintduffy wrote:
    > >
    > > >
    > > > I am setting up a SAML 2 Service Provider. I am the Identity
    > > > Provider
    > > >
    > > > In the SAML Assertion I post there is this
    > > >
    > > > <saml:AuthnContext>
    > > >
    > > >

    > > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Ke
    > > rb
    > > > eros</saml:AuthnContextClassRef>
    > > >
    > > >

    > > <saml:AuthnContextDeclRef>https://iaccess-mo.energytransfer.com/logi
    > > n</saml:AuthnContextDeclRef>
    > > > </saml:AuthnContext>
    > > >
    > > > The Service Provider indicated that they cannot have the URI
    > > > (AuthnContextDeclRef) in the Assertion:
    > > >
    > > >

    > > <saml:AuthnContextDeclRef>https://iaccess-mo.energytransfer.com/logi
    > > n</saml:AuthnContextDeclRef>
    > >
    > > Ask them what they want in this value.
    > > On your side create a new local authentication contract where the
    > > URI has this value.
    > >
    > > Use that contract to authenticate the users.

    >
    > actually they do not want it to be in the assertion at all.
    >
    > they want it to look like this
    >
    > <saml:AuthnContext>
    >
    > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerb
    > eros</saml:AuthnContextClassRef> </saml:AuthnContext>


    ok, this is a bit of a hack and it probably won't work but give it a go.

    Create a custom contract specifically for this SP. Assign it to the SP
    via the options tab.

    Set the URI for the contract to something easily identifiable. Then, on
    the AMC do a ldapsearch for:

    ldapsearch -D cn=admin,o=novell -w novell -b o=novell -o ldif-wrap=no
    objectclass=nidsAuthLocalContract nidsBaseURL

    Once you've found the object that matches your nidsBaseURL use the
    'View Objects' in iManager and browse to the DN of the object. Then
    modify the nidsBaseURL and whatever is in there, replace it with a
    space.

    This is what my token looked like:

    <saml:AuthnStatement AuthnInstant="2016-06-24T12:54:54Z"
    SessionIndex="idY39qLYOIKSJSe-lECOFRxO4TcnI">
    <saml:AuthnContext>

    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Passwo
    rdProtectedTransport</saml:AuthnContextClassRef>
    <saml:AuthnContextDeclRef> </saml:AuthnContextDeclRef>
    </saml:AuthnContext>

    I have no clue what the consequences are of doing this tho and no doubt
    NTS might bark at you if you ever call for support on this.

    If this doesn't work I'd suggest opening a ticket with NTS and see if
    they can reach out to engineering to see if they can build something to
    surpress the AuthNContext.

    --
    Cheers,
    Edward
  • Edward van der Maas <edmaa@no-mx.forums.microfocus.com> wrote:
    > martintduffy wrote:
    >
    >
    >
    > If this doesn't work I'd suggest opening a ticket with NTS and see if
    > they can reach out to engineering to see if they can build something to
    > surpress the AuthNContext.
    >


    Still think that the SP is misinterpreting the spec.

    They should ignore the stuff they don't want rather than error out.

    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...

Reply
  • Edward van der Maas <edmaa@no-mx.forums.microfocus.com> wrote:
    > martintduffy wrote:
    >
    >
    >
    > If this doesn't work I'd suggest opening a ticket with NTS and see if
    > they can reach out to engineering to see if they can build something to
    > surpress the AuthNContext.
    >


    Still think that the SP is misinterpreting the spec.

    They should ignore the stuff they don't want rather than error out.

    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...

Children
No Data