Sun Java System SAML v2 Plug-in for Federation Services User's Guide

Authentication Context Mappers

Authentication context refers to information added to an assertion regarding details of the technology used for the actual authentication action. For example, a service provider can request that an identity provider comply with a specific authentication method by identifying that method in an authentication request. The authentication context mappers pair a standard SAMLv2 authentication context class reference (PasswordProtectedTransport, for example) to an Access Manager authentication scheme (module=LDAP, for example) on the identity provider side and set the appropriate authentication level in the user's SSO token on the service provider side. The identity provider would then deliver (with the assertion) the authentication context information in the form of an authentication context declaration added to the assertion. The process for this is described below.

  1. A user accesses spSSOInit.jsp using the AuthnContextClassRef query parameter.

    For example, http://SP_host:SP_port/uri/spSSOInit.jsp?metaAlias=SP_MetaAlias&idpEntityID=IDP_EntityID&AuthnContextClassRef=PasswordProtectedTransport

  2. The SPAuthnContextMapper is invoked to map the value of the query parameter to a <RequestedAuthnContext> and an authentication level.

  3. The service provider sends the <AuthRequest> with the <RequestedAuthnContext> to the identity provider.

  4. The identity provider processes the <AuthRequest> by invoking the IDPAuthnContextMapper to map the incoming information to a defined authentication scheme.

    Note –

    If there is no matching authentication scheme, an authentication error page is displayed.

  5. The identity provider then redirects the user (including information regarding the authentication scheme) to the Authentication Service for authentication.

    For example, http://AM_host:AM_port/uri/UI/Login?module=LDAP redirects to the LDAP authentication module.

  6. After successful authentication, the user is redirected back to the identity provider for construction of a response based on the mapped authentication class reference.

  7. The identity provider then returns the user to the assertion consumer on the service provider side.

  8. After validating the response, the service provider creates a single sign-on token carrying the authentication level defined in the previous step.

A default authentication context mapper has been developed for both sides of the SAML v2 interaction. Details about the mappers are in the following sections:

The procedure for configuring mappings is in the following section:


The IDPAuthnContextMapper is configured for the identity provider and maps incoming authentication requests from the service provider to an Access Manager authentication scheme (user, role, module, level or service-based authentication), returning a response containing the authentication status to the service provider. The following attributes in the identity provider extended metadata are used by the IDPAuthnContextMapper:


The SPAuthnContextMapper is configured for the service provider and maps the parameters in incoming HTTP requests to an authentication context. It creates a <RequestedAuthnContext> element based on the query parameters and attributes configured in the extended metadata of the service provider. The <RequestedAuthnContext> element is then included in the <AuthnRequest> element sent from the service provider to the identity provider for authentication. The SPAuthnContextMapper also maps the authentication context on the identity provider side to the authentication level set as a property of the user's single sign-on token. The following sections describe the parameters and attributes:

SPAuthnContextMapper Parameters

The following query parameters can be set in the URL when accessing spSSOInit.jsp:

An example URL might be http://SP_host:SP_port/uri/spSSOInit.jsp?metaAlias=SP_MetaAlias&idpEntityID=IDP_EntityID&AuthnContextClassRef=PasswordProtectedTransport&AuthLevel=4&AuthComparision=minimum

SPAuthnContextMapper Attributes

The following attributes in the service provider extended metadata are used by the SPAuthnContextMapper:

ProcedureTo Configure Mappings

The following procedure assumes you are mapping urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport to authentication level 4 on the service provider and use the LDAP authentication module for authentication on the identity provider.

  1. Set the mapping for the spAuthncontextClassrefMapping property in the current extended service provider metadata.

    For example, PasswordProtectedTransport|4

  2. Reload the modified metadata using saml2meta.

    See The saml2meta Command-line Reference.

  3. Set the mapping for the idpAuthncontextClassrefMapping property in the current extended identity provider metadata.

    For example, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|module=LDAP

  4. Reload the modified metadata using saml2meta.

    See The saml2meta Command-line Reference.

  5. Access the single sign-on initialization page using the following URL: