Can you suppress AuthnContextDeclRef in a SAML2 assertion?


I am setting up a SAML 2 Service Provider. I am the Identity Provider

In the SAML Assertion I post there is this

<saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>

<saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
</saml:AuthnContext>

The Service Provider indicated that they cannot have the URI
(AuthnContextDeclRef) in the Assertion:

<saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>

The error they provided to me is this:

System.InvalidOperationException: ID4180: A SAML2 assertion that
specifies an AuthenticationContext DeclarationReference is not
supported. To handle DeclarationReference, extend the
Saml2SecurityTokenHandler and override ProcessAuthenticationStatement.

Is there a way to suppress/remove the AuthnContextDeclRef in the SAML
Assertion? And it would only be for this specific Service Provider. All
of the others are fine with the AuthnContextDeclRef in the assertion.

Thanks,
Martin


--
martintduffy
------------------------------------------------------------------------
martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
View this thread: https://forums.netiq.com/showthread.php?t=56089

  • kjhurni <kjhurni@no-mx.forums.microfocus.com> wrote:
    >
    >> It is supposed to be optional to include an Authentication Contract URI
    >> in the SAML Assertion but there does not seem to be any option in NAM
    >> for - don't send the Authentication Contract URI.
    >>


    The parent AuthnContext element is optional

    However if it is included then it must contain at least one of
    AuthnContextClassRef, AuthnContextDecl and AuthnContextDeclRef.

    When present, these child elements must contain valid URI (they can't just
    be present but empty)

    >> This is actually the second SP that I worked with that does not allow

    > an
    >> Authentication Contract URI in the SAML Assertion. I think that the
    >> problem is that the SP is a custom coded SP using Microsoft Technology.
    >> MS gives you a basic framework and you build as little as possible and
    >> one of the things about the basic framework is that it does not support
    >> Authentication Contract URIs in the SAML Assertion.



    You can use AuthnContext Classes instead. I believe a limited set of values
    are supported by Microsoft for AuthnContextClassRef

    To set AuthnContextClassRef specify the value in Allowable Class field of
    the contract that is used.

    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...

  • I don't seem to be understanding what you are recommending. I don't see
    how it solves the problem.

    The SP has NO reference in their SAML REQUEST for anything concerning
    AuthnContextDeclRef - nothing.

    This is an example from their sample SAML Assertion of what they want.

    <saml:AuthnContext>
    <saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:ProtectedPasswordTransport</saml:AuthnContextClassRef>
    </saml:AuthnContext>

    If this is in there they choke. It does not matter what the value is.
    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>

    So the question becomes how can I have NOTHING concerning
    AuthnContextDeclRef in the SAML Assertion? Tell NAM not to include the
    <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    in the SAML Assertion.


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089

  • martintduffy <martintduffy@no-mx.forums.microfocus.com> wrote:
    >

    I don't seem to be understanding what you are recommending. I don't see
    how it solves the problem.
    >
    > The SP has NO reference in their SAML REQUEST for anything concerning

    AuthnContextDeclRef - nothing.
    >


    Ok. Understood.

    > This is an example from their sample SAML Assertion of what they want.
    >
    > <saml:AuthnContext>
    > <saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:ProtectedPasswordTransport</saml:AuthnContextClassRef>
    > </saml:AuthnContext>
    >


    So. Have you configured the allowable class as I described on the contract
    used to authenticate the users? Is NAM sending AuthnContextClassRef at all?

    (That is the first half of the problem).

    > If this is in there they choke. It does not matter what the value is.
    > <saml:AuthnContextDeclRef>iaccess-mo.energytransfer.com/.../saml:AuthnContextDeclRef>
    >
    > So the question becomes how can I have NOTHING concerning

    AuthnContextDeclRef in the SAML Assertion?

    We have answered that. Not sure if if is possible (or required). It is up
    to the SP's what it does with the AuthnContext details.

    The SP should either ignore this section entirely. (Trusting that the IDP
    did the auth correctly.)

    Or

    Pick one of the supplied values (and ignore the rest)

    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089

    >




    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...
  • martintduffy wrote:

    >
    > alexmchugh;268983 Wrote:
    > > martintduffy wrote:
    > >
    > > >
    > > > I am setting up a SAML 2 Service Provider. I am the Identity
    > > > Provider
    > > >
    > > > In the SAML Assertion I post there is this
    > > >
    > > > <saml:AuthnContext>
    > > >
    > > >

    > > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Ke
    > > rb
    > > > eros</saml:AuthnContextClassRef>
    > > >
    > > >

    > > <saml:AuthnContextDeclRef>https://iaccess-mo.energytransfer.com/logi
    > > n</saml:AuthnContextDeclRef>
    > > > </saml:AuthnContext>
    > > >
    > > > The Service Provider indicated that they cannot have the URI
    > > > (AuthnContextDeclRef) in the Assertion:
    > > >
    > > >

    > > <saml:AuthnContextDeclRef>https://iaccess-mo.energytransfer.com/logi
    > > n</saml:AuthnContextDeclRef>
    > >
    > > Ask them what they want in this value.
    > > On your side create a new local authentication contract where the
    > > URI has this value.
    > >
    > > Use that contract to authenticate the users.

    >
    > actually they do not want it to be in the assertion at all.
    >
    > they want it to look like this
    >
    > <saml:AuthnContext>
    >
    > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerb
    > eros</saml:AuthnContextClassRef> </saml:AuthnContext>


    ok, this is a bit of a hack and it probably won't work but give it a go.

    Create a custom contract specifically for this SP. Assign it to the SP
    via the options tab.

    Set the URI for the contract to something easily identifiable. Then, on
    the AMC do a ldapsearch for:

    ldapsearch -D cn=admin,o=novell -w novell -b o=novell -o ldif-wrap=no
    objectclass=nidsAuthLocalContract nidsBaseURL

    Once you've found the object that matches your nidsBaseURL use the
    'View Objects' in iManager and browse to the DN of the object. Then
    modify the nidsBaseURL and whatever is in there, replace it with a
    space.

    This is what my token looked like:

    <saml:AuthnStatement AuthnInstant="2016-06-24T12:54:54Z"
    SessionIndex="idY39qLYOIKSJSe-lECOFRxO4TcnI">
    <saml:AuthnContext>

    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Passwo
    rdProtectedTransport</saml:AuthnContextClassRef>
    <saml:AuthnContextDeclRef> </saml:AuthnContextDeclRef>
    </saml:AuthnContext>

    I have no clue what the consequences are of doing this tho and no doubt
    NTS might bark at you if you ever call for support on this.

    If this doesn't work I'd suggest opening a ticket with NTS and see if
    they can reach out to engineering to see if they can build something to
    surpress the AuthNContext.

    --
    Cheers,
    Edward
  • Edward van der Maas <edmaa@no-mx.forums.microfocus.com> wrote:
    > martintduffy wrote:
    >
    >
    >
    > If this doesn't work I'd suggest opening a ticket with NTS and see if
    > they can reach out to engineering to see if they can build something to
    > surpress the AuthNContext.
    >


    Still think that the SP is misinterpreting the spec.

    They should ignore the stuff they don't want rather than error out.

    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...


  • Unfortunately the SP is a SAAS provider and will not change how their SP
    works or consumes the SAML Assertion.

    I created a SR with NetIQ and their NAM development team is looking to
    see what can possibly be done on the IDP side to suppress/remove the
    AuthnContextDeclRef from the SAML Assertion. I will let you know what
    they come up with.


    --
    martintduffy
    ------------------------------------------------------------------------
    martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
    View this thread: https://forums.netiq.com/showthread.php?t=56089

  • Late reply to this, but for future reference ;-)

    just ran in to the same issue, and found out that NAM nowadays has a options to disable this : https://www.netiq.com/documentation/access-manager-45/admin/data/b1ax7qoc.html

    SAML2 AVOID AUTHNCONTEXT CLASS REFERENCE = true

  • Late reply to this, but for future reference ;-)

    just ran in to the same issue, and found out that NAM nowadays has a options to disable this : https://www.netiq.com/documentation/access-manager-45/admin/data/b1ax7qoc.html

    SAML2 AVOID AUTHNCONTEXT CLASS REFERENCE = true

  • Late reply to this, but for future reference ;-)

    just ran in to the same issue, and found out that NAM nowadays has a options to disable this : https://www.netiq.com/documentation/access-manager-45/admin/data/b1ax7qoc.html

    SAML2 AVOID AUTHNCONTEXT CLASS REFERENCE = true

  • You can add the option "SAML2 AVOID AUTHNCONTEXT CLASS REFERENCE" to true

    From the docs: Set this to true to exclude AuthnContextClassRef as part of the SAML 2.0 assertion response for this service provider.