Can you suppress AuthnContextDeclRef in a SAML2 assertion?


I am setting up a SAML 2 Service Provider. I am the Identity Provider

In the SAML Assertion I post there is this

<saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>

<saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
</saml:AuthnContext>

The Service Provider indicated that they cannot have the URI
(AuthnContextDeclRef) in the Assertion:

<saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>

The error they provided to me is this:

System.InvalidOperationException: ID4180: A SAML2 assertion that
specifies an AuthenticationContext DeclarationReference is not
supported. To handle DeclarationReference, extend the
Saml2SecurityTokenHandler and override ProcessAuthenticationStatement.

Is there a way to suppress/remove the AuthnContextDeclRef in the SAML
Assertion? And it would only be for this specific Service Provider. All
of the others are fine with the AuthnContextDeclRef in the assertion.

Thanks,
Martin


--
martintduffy
------------------------------------------------------------------------
martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
View this thread: https://forums.netiq.com/showthread.php?t=56089

Parents Reply Children
  • kjhurni <kjhurni@no-mx.forums.microfocus.com> wrote:
    >
    >
    > Now THIS one here is interesting, as if I read it correctly, it's the SP

    that actually requests this:
    >



    This is true (makes total sense from a design perspective) and so few
    implementations actually do this. That is why I am so surprised to hear of
    a SP that chokes on a value.

    Regardless the best approach is as I suggested.

    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...

  • While there can be a request for a specific authentication contract in a
    SAML Request from the Service Provider it is not required to be in the
    Request and in this case the Service Provider has nothing in the Request
    concerning an Authentication Contract URI. That being said - they choke
    when there is any Authentication Contract in the SAML Assertion. Their
    error message specifically says that a Authentication Contract URI in
    the SAML Assertion is not supported.

    It is supposed to be optional to include an Authentication Contract URI
    in the SAML Assertion but there does not seem to be any option in NAM
    for - don't send the Authentication Contract URI.

    This is actually the second SP that I worked with that does not allow an
    Authentication Contract URI in the SAML Assertion. I think that the
    problem is that the SP is a custom coded SP using Microsoft Technology.
    MS gives you a basic framework and you build as little as possible and
    one of the things about the basic framework is that it does not support
    Authentication Contract URIs in the SAML Assertion.


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089

  • martintduffy;2432498 wrote:
    While there can be a request for a specific authentication contract in a
    SAML Request from the Service Provider it is not required to be in the
    Request and in this case the Service Provider has nothing in the Request
    concerning an Authentication Contract URI. That being said - they choke
    when there is any Authentication Contract in the SAML Assertion. Their
    error message specifically says that a Authentication Contract URI in
    the SAML Assertion is not supported.

    It is supposed to be optional to include an Authentication Contract URI
    in the SAML Assertion but there does not seem to be any option in NAM
    for - don't send the Authentication Contract URI.

    This is actually the second SP that I worked with that does not allow an
    Authentication Contract URI in the SAML Assertion. I think that the
    problem is that the SP is a custom coded SP using Microsoft Technology.
    MS gives you a basic framework and you build as little as possible and
    one of the things about the basic framework is that it does not support
    Authentication Contract URIs in the SAML Assertion.


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089


    I ran across some technet articles or something where MS states how to add that, so I know that if it's an "MS thingy" it's supported/doable.

    But I couldn't find anything in the OASIS docs/specs where it was listed as a "no no" to include it or not. And there's nothing I could find that specified that if the SP didn't ask for something that the IDP shouldn't include it, so it seems very up-in-the-air for things like this.

    But hopefully Alex' solution works for you.

    --Kevin

  • The problem is that you cannot create a contract without a URI which is
    what I think that Adam is suggesting. The SP wants nothing. In fact they
    don't want just no URI they do not want the tags. Below is exactly what
    they want. There are no AuthnContextDeclRef tags or anything.

    <saml:AuthnContext>

    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:ProtectedPasswordTransport</saml:AuthnContextClassRef>
    </saml:AuthnContext>


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089

  • kjhurni <kjhurni@no-mx.forums.microfocus.com> wrote:
    >
    >> It is supposed to be optional to include an Authentication Contract URI
    >> in the SAML Assertion but there does not seem to be any option in NAM
    >> for - don't send the Authentication Contract URI.
    >>


    The parent AuthnContext element is optional

    However if it is included then it must contain at least one of
    AuthnContextClassRef, AuthnContextDecl and AuthnContextDeclRef.

    When present, these child elements must contain valid URI (they can't just
    be present but empty)

    >> This is actually the second SP that I worked with that does not allow

    > an
    >> Authentication Contract URI in the SAML Assertion. I think that the
    >> problem is that the SP is a custom coded SP using Microsoft Technology.
    >> MS gives you a basic framework and you build as little as possible and
    >> one of the things about the basic framework is that it does not support
    >> Authentication Contract URIs in the SAML Assertion.



    You can use AuthnContext Classes instead. I believe a limited set of values
    are supported by Microsoft for AuthnContextClassRef

    To set AuthnContextClassRef specify the value in Allowable Class field of
    the contract that is used.

    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...

  • I don't seem to be understanding what you are recommending. I don't see
    how it solves the problem.

    The SP has NO reference in their SAML REQUEST for anything concerning
    AuthnContextDeclRef - nothing.

    This is an example from their sample SAML Assertion of what they want.

    <saml:AuthnContext>
    <saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:ProtectedPasswordTransport</saml:AuthnContextClassRef>
    </saml:AuthnContext>

    If this is in there they choke. It does not matter what the value is.
    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>

    So the question becomes how can I have NOTHING concerning
    AuthnContextDeclRef in the SAML Assertion? Tell NAM not to include the
    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    in the SAML Assertion.


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089

  • martintduffy <martintduffy@no-mx.forums.microfocus.com> wrote:
    >

    I don't seem to be understanding what you are recommending. I don't see
    how it solves the problem.
    >
    > The SP has NO reference in their SAML REQUEST for anything concerning

    AuthnContextDeclRef - nothing.
    >


    Ok. Understood.

    > This is an example from their sample SAML Assertion of what they want.
    >
    > <saml:AuthnContext>
    > <saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:ProtectedPasswordTransport</saml:AuthnContextClassRef>
    > </saml:AuthnContext>
    >


    So. Have you configured the allowable class as I described on the contract
    used to authenticate the users? Is NAM sending AuthnContextClassRef at all?

    (That is the first half of the problem).

    > If this is in there they choke. It does not matter what the value is.
    > <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    >
    > So the question becomes how can I have NOTHING concerning

    AuthnContextDeclRef in the SAML Assertion?

    We have answered that. Not sure if if is possible (or required). It is up
    to the SP's what it does with the AuthnContext details.

    The SP should either ignore this section entirely. (Trusting that the IDP
    did the auth correctly.)

    Or

    Pick one of the supplied values (and ignore the rest)

    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089

    >




    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...

  • Unfortunately the SP is a SAAS provider and will not change how their SP
    works or consumes the SAML Assertion.

    I created a SR with NetIQ and their NAM development team is looking to
    see what can possibly be done on the IDP side to suppress/remove the
    AuthnContextDeclRef from the SAML Assertion. I will let you know what
    they come up with.


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089

  • Late reply to this, but for future reference ;-)

    just ran in to the same issue, and found out that NAM nowadays has a options to disable this : https://www.netiq.com/documentation/access-manager-45/admin/data/b1ax7qoc.html

    SAML2 AVOID AUTHNCONTEXT CLASS REFERENCE = true

  • Late reply to this, but for future reference ;-)

    just ran in to the same issue, and found out that NAM nowadays has a options to disable this : https://www.netiq.com/documentation/access-manager-45/admin/data/b1ax7qoc.html

    SAML2 AVOID AUTHNCONTEXT CLASS REFERENCE = true