test

Sun OpenSSO Enterprise 8.0 Administration Reference

Authentication Context

This attribute maps the SAMLv2-defined authentication context classes to the authentication level set for the user session for the service provider .

Mapper

Specifies the implementation of the SPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultSPAuthnContexteMapper.

Supported

Select the check box next to the authentication context class if the identity provider supports it.

Context Reference

The SAMLv2-defined authentication context classes are:

  • InternetProtocol

  • InternetProtocolPassword

  • Kerberos

  • MobileOneFactorUnregistered

  • MobileTwoFactorUnregistered

  • MobileOneFactorContract

  • MobileTwoFactorContract

  • Password

  • Password-ProtectedTransport

  • Previous-Session

  • X509

  • PGP

  • SPKI

  • XMLDSig

  • Smartcard

  • Smartcard-PKI

  • Software-PKI

  • Telephony

  • NomadTelephony

  • PersonalTelephony

  • AuthenticaionTelephony

  • SecureRemotePassword

  • TLSClient

  • Time-Sync-Token

  • Unspecified

Level

Takes as a value a positive number that maps to an authentication level defined in the OpenSSO Enterprise Authentication Framework. The authentication level indicates how much to trust a method of authentication.

In this framework, each service provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.

Comparison Type

Specifies what the resulting authentication context must be when compared to the value of this property. Accepted values include:

  • exact where the authentication context statement in the assertion must be the exact match of, at least, one of the authentication contexts specified.

  • minimum where the authentication context statement in the assertion must be, at least, as strong (as deemed by the identity provider) one of the authentication contexts specified.

  • maximum where the authentication context statement in the assertion must be no stronger than any of the authentication contexts specified.

  • better where the authentication context statement in the assertion must be stronger than any of the authentication contexts specified.

The default value is exact.