Requesting a SAMLv2 Assertion for Authentication Context (Sun OpenSSO Enterprise 8.0 Administration Guide)

Sun OpenSSO Enterprise 8.0 Administration Guide

Requesting a SAMLv2 Assertion for Authentication Context

A SAMLv2 assertion contains information regarding the context of a principal's authentication. The requesting party may require this additional information (for example, the authenticating technology or protocol used) in order to assess the level of confidence they can place in the assertion. To retrieve authentication context information, the service provider issues a query to the authentication authority. Only SOAP binding is supported for this request And signing is required so make sure the Signing Certificate Alias attribute of the service provider and the authentication authority is configured.

To Configure for Authentication Context Queries

Create and load the metadata for the service provider.

Create the metadata for the identity provider using ssoadm and define these additional options for it's role as an authentication authority.

-C

Defines the meta Alias for the hosted authentication authority to be created. The format must be realm name/identifier.

-D

Defines the authentication authority signing certificate alias.

-E

Defines the authentication authority encryption certificate alias.

For example:
```
ssoadm create-metadata-templ -u amadmin -f /tmp/pw -m /home/user1/tmp/mm -x
/home/usr1/tmp/xx -s /idp -a test -r test -C /authna -D test2 -E test2 -y
example.com
```

Add the following attribute to the identity provider metadata file just created.

This allows the identity provider to store assertions generated during the SAMLv2 Single Sign-on process.
```
<IDPSSOConfig metaAlias="/idp">
<Attribute name="assertionCacheEnabled">
<Value>true</Value>
</Attribute>
</IDPSSOConfig>
```

Configure for SAMLv2 single sign-on as documented in Configuring SAMLv2 Single Sign-on without Service Provider User Accounts.

Do either of the following:
- To send an authentication query from the service provider use the method of com.sun.identity.saml2.profile.AuthnQueryUtil.
```
public static Response sendAuthnQuery(AuthnQuery authnQuery,
  String authnAuthorityEntityID, String realm, String binding)
  throws SAML2Exception;
```
- To construct an AuthnQuery object, use com.sun.identity.saml2.assertion.* and com.sun.identity.saml2.protocol.*.