Can you suppress AuthnContextDeclRef in a SAML2 assertion?


I am setting up a SAML 2 Service Provider. I am the Identity Provider

In the SAML Assertion I post there is this

<saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>

<saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
</saml:AuthnContext>

The Service Provider indicated that they cannot have the URI
(AuthnContextDeclRef) in the Assertion:

<saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>

The error they provided to me is this:

System.InvalidOperationException: ID4180: A SAML2 assertion that
specifies an AuthenticationContext DeclarationReference is not
supported. To handle DeclarationReference, extend the
Saml2SecurityTokenHandler and override ProcessAuthenticationStatement.

Is there a way to suppress/remove the AuthnContextDeclRef in the SAML
Assertion? And it would only be for this specific Service Provider. All
of the others are fine with the AuthnContextDeclRef in the assertion.

Thanks,
Martin


--
martintduffy
------------------------------------------------------------------------
martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
View this thread: https://forums.netiq.com/showthread.php?t=56089

Parents
  • martintduffy;2432316 wrote:
    I am setting up a SAML 2 Service Provider. I am the Identity Provider

    In the SAML Assertion I post there is this

    <saml:AuthnContext>

    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>

    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    </saml:AuthnContext>

    The Service Provider indicated that they cannot have the URI
    (AuthnContextDeclRef) in the Assertion:

    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>

    The error they provided to me is this:

    System.InvalidOperationException: ID4180: A SAML2 assertion that
    specifies an AuthenticationContext DeclarationReference is not
    supported. To handle DeclarationReference, extend the
    Saml2SecurityTokenHandler and override ProcessAuthenticationStatement.

    Is there a way to suppress/remove the AuthnContextDeclRef in the SAML
    Assertion? And it would only be for this specific Service Provider. All
    of the others are fine with the AuthnContextDeclRef in the assertion.

    Thanks,
    Martin


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089


    I don't see anything in the docs for the SAML "options" that would disable that. (there are documented SAML options, just didn't see one for that setting).

    Maybe Edward knows.

    --Kevin
Reply
  • martintduffy;2432316 wrote:
    I am setting up a SAML 2 Service Provider. I am the Identity Provider

    In the SAML Assertion I post there is this

    <saml:AuthnContext>

    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>

    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    </saml:AuthnContext>

    The Service Provider indicated that they cannot have the URI
    (AuthnContextDeclRef) in the Assertion:

    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>

    The error they provided to me is this:

    System.InvalidOperationException: ID4180: A SAML2 assertion that
    specifies an AuthenticationContext DeclarationReference is not
    supported. To handle DeclarationReference, extend the
    Saml2SecurityTokenHandler and override ProcessAuthenticationStatement.

    Is there a way to suppress/remove the AuthnContextDeclRef in the SAML
    Assertion? And it would only be for this specific Service Provider. All
    of the others are fine with the AuthnContextDeclRef in the assertion.

    Thanks,
    Martin


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089


    I don't see anything in the docs for the SAML "options" that would disable that. (there are documented SAML options, just didn't see one for that setting).

    Maybe Edward knows.

    --Kevin
Children
  • kjhurni wrote:


    > I don't see anything in the docs for the SAML "options" that would
    > disable that. (there are documented SAML options, just didn't see one
    > for that setting).
    >
    > Maybe Edward knows.
    >
    > --Kevin


    I reckon the best bet will be what Alex is suggesting. You can't remove
    it from the token from what I know.

    --
    Cheers,
    Edward