The SPAuthnContextMapper is configured for the service provider and maps the parameters in incoming HTTP requests to an authentication context. It creates a <RequestedAuthnContext> element based on the query parameters and attributes configured in the extended metadata of the service provider. The <RequestedAuthnContext> element is then included in the <AuthnRequest> element sent from the service provider to the identity provider for authentication. The SPAuthnContextMapper also maps the authentication context on the identity provider side to the authentication level set as a property of the user's single sign-on token. The following sections describe the parameters and attributes:
The following query parameters can be set in the URL when accessing spSSOInit.jsp:
AuthnContextClassRef or AuthnContextDeclRef: These properties specify one or more URI references identifying the provider's supported authentication context classes. If a value is not specified, the default is urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.
AuthLevel: This parameter specifies the authentication level of the authentication context being used for authentication.
AuthComparison: This parameter specifies the method of comparison used to evaluate the requested context classes or statements. Accepted values include:
exact where the authentication context statement in the assertion must be the exact match of, at least, one of the authentication contexts specified.
minimum where the authentication context statement in the assertion must be, at least, as strong (as deemed by the identity provider) one of the authentication contexts specified.
maximum where the authentication context statement in the assertion must be no stronger than any of the authentication contexts specified.
better where the authentication context statement in the assertion must be stronger than any of the authentication contexts specified.
If the element is not specified, the default value is exact.
An example URL might be http://SP_host:SP_port/uri/spSSOInit.jsp?metaAlias=SP_MetaAlias&idpEntityID=IDP_EntityID&AuthnContextClassRef=PasswordProtectedTransport&AuthLevel=4&AuthComparision=minimum
The following attributes in the service provider extended metadata are used by the SPAuthnContextMapper:
The spAuthncontextMapper property specifies the name of the service provider mapper implementation.
The spAuthncontextClassrefMapping property specifies the map of authentication context class reference and authentication level in the following format:
authnContextClassRef | authlevel [| default]
The spAuthncontextComparisonType property is optional and specifies the method of comparison used to evaluate the requested context classes or statements. Accepted values include:
exact where the authentication context statement in the assertion must be the exact match of, at least, one of the authentication contexts specified.
minimum where the authentication context statement in the assertion must be, at least, as strong (as deemed by the identity provider) one of the authentication contexts specified.
maximum where the authentication context statement in the assertion must be no stronger than any of the authentication contexts specified.
better where the authentication context statement in the assertion must be stronger than any of the authentication contexts specified.
If the element is not specified, the default value is exact.