Multiple RequestedAuthnContexts

lucas · January 14, 2019, 8:24am

Hi,

I’m checking the documentation about AuthnContexts.
In the ComponentSpace.SAML2.SSOOptions I have these attributes:

public string RequestedAuthnContextComparison { get; set; }
public IList RequestedAuthnContexts { get; set; }

As far I understood I can work with more than one RequestedAuthnContexts as that property is a List.
(urn:oasis:names:tcSyntaxEditor Code Snippeturn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
SyntaxEditor Code Snippetand urn:oasis:names:tc:SAML:2.0:ac:classes: PasswordProtectedTransport, for example).

But I can’t set more than one RequestedAuthnContextComparison as that property is a string.

Can I work with more than one RequestedAuthnContexts and differents Comparison?

Thank you very much

ComponentSpace · January 14, 2019, 4:14pm

I’m afraid that isn’t supported by the SAML specification.
You can specify one or more authn contexts but only a single comparison.
Quoting from the specification:

If Comparison is set to “exact” or omitted, then the resulting authentication context in the authentication statement MUST be the exact match of at least one of the authentication contexts specified.
If Comparison is set to “minimum”, then the resulting authentication context in the authentication statement MUST be at least as strong (as deemed by the responder) as one of the authentication contexts specified.
If Comparison is set to “better”, then the resulting authentication context in the authentication statement MUST be stronger (as deemed by the responder) than any one of the authentication contexts specified.
If Comparison is set to “maximum”, then the resulting authentication context in the authentication statement MUST be as strong as possible (as deemed by the responder) without exceeding the strength of at least one of the authentication contexts specified.

lucas · January 15, 2019, 12:24am

Thank you very much for the fast reply.
I have one more question about the AuthnContexts.

I’ve been trying to find that “AuthnContexts” information in the MetaData documentation but I can’t find.
Is that information in the MetaData? If not, what is the best way to share this information?

Thank you very much.

ComponentSpace · January 15, 2019, 1:21am

The SAML metadata specification doesn’t support authn contexts.
You would have to share this information in an ad-hoc manner.

lucas · January 15, 2019, 1:51am

Thank you very much.

ComponentSpace · January 15, 2019, 2:14am

You’re welcome.