Setting AuthenContextClass when Credential Selector is specified in a partnership
search cancel

Setting AuthenContextClass when Credential Selector is specified in a partnership

book

Article ID: 428599

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Sometimes it may be necessary to force the Authentication Context Class reference definition in a Partnership when SiteMinder is acting as the local IdP to be a method which is not the usual 

urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Let's assume that one wishes it to be for instance

urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract

If the Partnership has authentication method Local, it is certainly possible todo so, that is, specify for instance

urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract

as the Authentication Class in the Authentication Class window under the Authentication section of the partnership.

However for partnerships defined which do not have authentication method Local (for instance, Credential Selector), the SiteMinder GUI does not offer this possibility. 

This means that for assertions defined with an authentication method other than Local, assertions will always be sent with Authentication Context Class reference set to urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Is there any way to change this behaviour ?

Resolution

The AuthnContextClassRef parameter is read from the Policy Store at run time. Every partnership has this parameter associated with a certain value. The problem is that for authentication methods other than Local, there is no way to modify it via the GUI.

As a workaround, please do the following for a given <Partnership> partnership

1. Deactivate the <Partnership> partnership and edit it

2. In the Authentication under SSO and SLO, change the Authentication type to Local

3. Changing the Authentication type to local should allow you to specify an Authentication Context Class Reference for <Partnership>. For instance:

urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract

4. Save/Activate the modified <Partnership> partnership. The effect of this is that it will store as AuthnContextClassRef attribute the value you have specified here, which is the desired one

5. Deactivate/Edit again <Partnership> and go to SSO and SLO and modify the Authentication type there and move it back to the desired method. Save and activate <Partnership> 

After this the right AuthnContextClassRef will be sent in the assertion

Additional Information

SSO and SLO Dialog

 

Powered by Wolken Software