Absent Member.
Absent Member.
352 views

Re: How to request urn:oasis:names:tc:SAML:2.0:ac:classes:


So when configuring the SP for GoogleApps, I enter the metadata text and
it is

<EntityDescriptor entityID="google.com"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
</NameIDFormat>
<AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/mydomain.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

Can the authentication contract be specified anywhere in this metadata?
If not where could we? I dont want the default contract to be used as I
dont want to change what is listed under IDP--> Local-->Defaults.


--
nareshbk
------------------------------------------------------------------------
nareshbk's Profile: http://forums.novell.com/member.php?userid=43220
View this thread: http://forums.novell.com/showthread.php?t=401899

0 Likes
1 Reply
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: How to request urn:oasis:names:tc:SAML:2.0:ac:classes:

nareshbk wrote:

>
> So when configuring the SP for GoogleApps, I enter the metadata text
> and it is
>
> <EntityDescriptor entityID="google.com"
> xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
> <SPSSODescriptor
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>
> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
> </NameIDFormat>
> <AssertionConsumerService index="1"
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="https://www.google.com/a/mydomain.com/acs" />
> </SPSSODescriptor>
> </EntityDescriptor>
>
> Can the authentication contract be specified anywhere in this
> metadata? If not where could we? I dont want the default contract to
> be used as I dont want to change what is listed under IDP-->
> Local-->Defaults.


No, the actual AuthNRequest would contain this bit of information. The
metadata doesn't has any references to auth contracts. The AuthNRequest
would look like:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable"
ForceAuthn="false" ID="idtOFUvmZ7QU0pFvD88.vn.M-bzxs" IsPassive="false"
IssueInstant="2012-02-13T22:05:51Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">

<saml:Issuer>http://idp.site.com:8080/nidp/saml2/metadata</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
SPNameQualifier="http://idp.site.com:8080/nidp/saml2/metadata"/>
<samlp:RequestedAuthnContext Comparison="exact">

<saml:AuthnContextDeclRef>name/password/uri</saml:AuthnContextDeclRef>

<saml:AuthnContextDeclRef>basic/name/password/uri</saml:AuthnContextDecl
Ref>

<saml:AuthnContextDeclRef>secure/basic/name/password/uri</saml:AuthnCont
extDeclRef>

<saml:AuthnContextDeclRef>secure/name/password/uri</saml:AuthnContextDec
lRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

This is a SAML auth request between to NAM IDP's and it is requesting
one of the contracts listed to be used for authentication.

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.