Authentication context refers to information added to an assertion regarding details of the technology used for the actual authentication action. For example, a service provider can request that an identity provider comply with a specific authentication method by identifying that method in an authentication request. The authentication context mapper pairs a standard SAML v2 authentication context class reference (PasswordProtectedTransport, for example) to a OpenSSO Enterprise authentication scheme (module=LDAP, for example) on the identity provider side and sets the appropriate authentication level in the user's SSO token on the service provider side. The identity provider would then deliver (with the assertion) the authentication context information in the form of an authentication context declaration added to the assertion. The process for this is described below.
A user accesses spSSOInit.jsp using the AuthnContextClassRef query parameter.
For example, http://SP_host:SP_port/uri/spSSOInit.jsp?metaAlias=SP_MetaAlias&idpEntityID=IDP_EntityID&AuthnContextClassRef=PasswordProtectedTransport
The SPAuthnContextMapper is invoked to map the value of the query parameter to a <RequestedAuthnContext> and an authentication level.
The service provider sends the <AuthRequest> with the <RequestedAuthnContext> to the identity provider.
The identity provider processes the <AuthRequest> by invoking the IDPAuthnContextMapper to map the incoming information to a defined authentication scheme.
If there is no matching authentication scheme, an authentication error page is displayed.
The identity provider then redirects the user (including information regarding the authentication scheme) to the Authentication Service for authentication.
For example, http://osso_host:osso_port/uri/UI/Login?module=LDAP redirects to the LDAP authentication module.
After successful authentication, the user is redirected back to the identity provider for construction of a response based on the mapped authentication class reference.
The identity provider then returns the user to the assertion consumer on the service provider side.
After validating the response, the service provider creates a single sign-on token carrying the authentication level defined in the previous step.
A default authentication context mapper has been developed for both sides of the SAML v2 interaction. Details about the mappers are in the following sections:
If implementing a custom authentication context mapper, change the value of the provider's Authentication Context Mapper property using the OpenSSO Enterprise console.
The IDPAuthnContextMapper is configured for the identity provider and maps incoming authentication requests from the service provider to a OpenSSO Enterprise authentication scheme (user, role, module, level or service-based authentication), returning a response containing the authentication status to the service provider. The following attributes in the identity provider extended metadata are used by the IDPAuthnContextMapper:
The idpAuthncontextMapper property specifies the mapper implementation.
The idpAuthncontextClassrefMapping property specifies the mapping between a standard SAMLv2 authentication context class reference and an OpenSSO Enterprise authentication scheme. It takes a value in the following format:
authnContextClassRef | authlevel | authnType=authnValue | authnType=authnValue | ... [|default] |
For example, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|3|module=LDAP|default maps the SAMLv2 PasswordProtectedTransport class reference to the OpenSSO Enterprise LDAP authentication module.
The SPAuthnContextMapper is configured for the service provider and maps the parameters in incoming HTTP requests to an authentication context. It creates a <RequestedAuthnContext> element based on the query parameters and attributes configured in the extended metadata of the service provider. The <RequestedAuthnContext> element is then included in the <AuthnRequest> element sent from the service provider to the identity provider for authentication. The SPAuthnContextMapper also maps the authentication context on the identity provider side to the authentication level set as a property of the user's single sign-on token. The following query parameters can be set in the URL when accessing spSSOInit.jsp:
AuthnContextClassRef or AuthnContextDeclRef: These properties specify one or more URI references identifying the provider's supported authentication context classes. If a value is not specified, the default is urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.
AuthLevel: This parameter specifies the authentication level of the authentication context being used for authentication.
AuthComparison: This parameter specifies the method of comparison used to evaluate the requested context classes or statements. Accepted values include:
exact where the authentication context statement in the assertion must be the exact match of, at least, one of the authentication contexts specified.
minimum where the authentication context statement in the assertion must be, at least, as strong (as deemed by the identity provider) one of the authentication contexts specified.
maximum where the authentication context statement in the assertion must be no stronger than any of the authentication contexts specified.
better where the authentication context statement in the assertion must be stronger than any of the authentication contexts specified.
If the element is not specified, the default value is exact.
An example URL might be http://SP_host:SP_port/uri/spSSOInit.jsp?metaAlias=SP_MetaAlias&idpEntityID=IDP_EntityID&AuthnContextClassRef=PasswordProtectedTransport&AuthLevel=4&AuthComparision=minimum
The following attributes in the service provider extended metadata are used by the SPAuthnContextMapper:
The spAuthncontextMapper property specifies the name of the service provider mapper implementation.
The spAuthncontextClassrefMapping property specifies the map of authentication context class reference and authentication level in the following format:
authnContextClassRef | authlevel [| default]
The spAuthncontextComparisonType property is optional and specifies the method of comparison used to evaluate the requested context classes or statements. Accepted values include:
exact where the authentication context statement in the assertion must be the exact match of, at least, one of the authentication contexts specified.
minimum where the authentication context statement in the assertion must be, at least, as strong (as deemed by the identity provider) one of the authentication contexts specified.
maximum where the authentication context statement in the assertion must be no stronger than any of the authentication contexts specified.
better where the authentication context statement in the assertion must be stronger than any of the authentication contexts specified.
If the element is not specified, the default value is exact.