jwilleke Trusted Contributor.
Trusted Contributor.
1294 views

authnContextClassRef values

We have multiple LAG clusters using the same IDP Clusters.

One Cluster si for the home office and is in xyz.com domain.

The other is for a specifc group and is abc.xyz.com domain.

We are using SAML federaiton with WebEX and it works well when we
authenticate from the xyz.com.

However, when we authenitcate first from the abc.xyz.com domain the
saml assertion fails.


We see the following differences in the SAML assertion:

When we go to the site direct, or if we have autheticated form yhr
xyz.com, the AuthnContextClassRef is: (Which works)
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>


When we go abc.xyz.com domain and authenticate and then go the the SP,
we see (Which Fails)
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>


We can set the value on the SP to only one value.
Can some one explain:
How the saml:AuthnContextClassRef values should be used?

Why are they different ?

If we set the value on the SP to:
"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"

Does that imply the SP should accept any?


--

Thank You for your help!

-jim
Jim Willeke

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: authnContextClassRef values

Adam,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://forums.novell.com/

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: authnContextClassRef values

Jim Willeke wrote:

> We have multiple LAG clusters using the same IDP Clusters.
>
> One Cluster si for the home office and is in xyz.com domain.
>
> The other is for a specifc group and is abc.xyz.com domain.
>
> We are using SAML federaiton with WebEX and it works well when we
> authenticate from the xyz.com.
>
> However, when we authenitcate first from the abc.xyz.com domain the
> saml assertion fails.
>
>
> We see the following differences in the SAML assertion:
>
> When we go to the site direct, or if we have autheticated form yhr
> xyz.com, the AuthnContextClassRef is: (Which works)
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Pass
> wordProtectedTransport</saml:AuthnContextClassRef>
>
> When we go abc.xyz.com domain and authenticate and then go the the
> SP, we see (Which Fails)
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Pass
> word</saml:AuthnContextClassRef>
>
> We can set the value on the SP to only one value.
> Can some one explain:
> How the saml:AuthnContextClassRef values should be used?


The way I understand it is that it allows you to tell the SP that you
have authenticated with contractX. Lets say you use a SP initiated
login and the SP requires that you use two factor authentication. The
SP wants to know that you trully authenticated with it so the SAML
assertion contains a statement that you have authentication with a
certain contract. It is up to the SP to read this element. Do
abc.xyz.com and xyz.com use different contracts by any chance?


--
Cheers,
Edward
0 Likes
jwilleke Trusted Contributor.
Trusted Contributor.

Re: authnContextClassRef values

On 2012-06-26 11:43:53 +0000, Edward van der Maas said:

> Jim Willeke wrote:
>
>> We have multiple LAG clusters using the same IDP Clusters.
>>
>> One Cluster si for the home office and is in xyz.com domain.
>>
>> The other is for a specifc group and is abc.xyz.com domain.
>>
>> We are using SAML federaiton with WebEX and it works well when we
>> authenticate from the xyz.com.
>>
>> However, when we authenitcate first from the abc.xyz.com domain the
>> saml assertion fails.
>>
>>
>> We see the following differences in the SAML assertion:
>>
>> When we go to the site direct, or if we have autheticated form yhr
>> xyz.com, the AuthnContextClassRef is: (Which works)
>> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Pass
>> wordProtectedTransport</saml:AuthnContextClassRef>
>>
>> When we go abc.xyz.com domain and authenticate and then go the the
>> SP, we see (Which Fails)
>> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Pass
>> word</saml:AuthnContextClassRef>
>>
>> We can set the value on the SP to only one value.
>> Can some one explain:
>> How the saml:AuthnContextClassRef values should be used?

>
> The way I understand it is that it allows you to tell the SP that you
> have authenticated with contractX. Lets say you use a SP initiated
> login and the SP requires that you use two factor authentication. The
> SP wants to know that you trully authenticated with it so the SAML
> assertion contains a statement that you have authentication with a
> certain contract. It is up to the SP to read this element. Do
> abc.xyz.com and xyz.com use different contracts by any chance?


Yes, they are different contracts, but all are aceptable.
We were able to solve this by adding both of the values for the the
<saml:AuthnContextClassRef> on the WebEx side.
(Seperated with a ";")

But i am still very curious why the two different values would be presetned.
Or even what the various values of <saml:AuthnContextClassRef> might be
and under what condtions.
I have not been able ot find any definition of how it is supposed to be used.


--

Thank You for your help!

-jim
Jim Willeke

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: authnContextClassRef values

Jim Willeke wrote:


> Yes, they are different contracts, but all are aceptable.
> We were able to solve this by adding both of the values for the the
> <saml:AuthnContextClassRef> on the WebEx side. (Seperated with a ";")
>
> But i am still very curious why the two different values would be
> presetned. Or even what the various values of
> <saml:AuthnContextClassRef> might be and under what condtions. I
> have not been able ot find any definition of how it is supposed to be
> used.


Well...from the SAML2 spec (see
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) it
is used to define a authentication context...i guess that can be
interpreted in many ways...

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.