Home

Results 1 to 5 of 5

Thread: authnContextClassRef values

Hybrid View

  1. #1
    Join Date
    Mar 2008
    Posts
    214

    authnContextClassRef values

    We have multiple LAG clusters using the same IDP Clusters.

    One Cluster si for the home office and is in xyz.com domain.

    The other is for a specifc group and is abc.xyz.com domain.

    We are using SAML federaiton with WebEX and it works well when we
    authenticate from the xyz.com.

    However, when we authenitcate first from the abc.xyz.com domain the
    saml assertion fails.


    We see the following differences in the SAML assertion:

    When we go to the site direct, or if we have autheticated form yhr
    xyz.com, the AuthnContextClassRef is: (Which works)
    <saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:PasswordProtecte dTransport</saml:AuthnContextClassRef>


    When we go abc.xyz.com domain and authenticate and then go the the SP,
    we see (Which Fails)
    <saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>


    We can set the value on the SP to only one value.
    Can some one explain:
    How the saml:AuthnContextClassRef values should be used?

    Why are they different ?

    If we set the value on the SP to:
    "urnasis:names:tc:SAML:2.0:ac:classes:unspecified"

    Does that imply the SP should accept any?


    --

    Thank You for your help!

    -jim
    Jim Willeke


  2. #2
    Automatic reply NNTP User

    Re: authnContextClassRef values

    Adam,

    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.

    Has your problem been resolved? If not, you might try one of the following options:

    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)

    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php

    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.

    Good luck!

    Your Novell Product Support Forums Team
    http://forums.novell.com/


  3. #3

    Re: authnContextClassRef values

    Jim Willeke wrote:

    > We have multiple LAG clusters using the same IDP Clusters.
    >
    > One Cluster si for the home office and is in xyz.com domain.
    >
    > The other is for a specifc group and is abc.xyz.com domain.
    >
    > We are using SAML federaiton with WebEX and it works well when we
    > authenticate from the xyz.com.
    >
    > However, when we authenitcate first from the abc.xyz.com domain the
    > saml assertion fails.
    >
    >
    > We see the following differences in the SAML assertion:
    >
    > When we go to the site direct, or if we have autheticated form yhr
    > xyz.com, the AuthnContextClassRef is: (Which works)
    > <saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:Pass
    > wordProtectedTransport</saml:AuthnContextClassRef>
    >
    > When we go abc.xyz.com domain and authenticate and then go the the
    > SP, we see (Which Fails)
    > <saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:Pass
    > word</saml:AuthnContextClassRef>
    >
    > We can set the value on the SP to only one value.
    > Can some one explain:
    > How the saml:AuthnContextClassRef values should be used?


    The way I understand it is that it allows you to tell the SP that you
    have authenticated with contractX. Lets say you use a SP initiated
    login and the SP requires that you use two factor authentication. The
    SP wants to know that you trully authenticated with it so the SAML
    assertion contains a statement that you have authentication with a
    certain contract. It is up to the SP to read this element. Do
    abc.xyz.com and xyz.com use different contracts by any chance?


    --
    Cheers,
    Edward

  4. #4
    Join Date
    Mar 2008
    Posts
    214

    Re: authnContextClassRef values

    On 2012-06-26 11:43:53 +0000, Edward van der Maas said:

    > Jim Willeke wrote:
    >
    >> We have multiple LAG clusters using the same IDP Clusters.
    >>
    >> One Cluster si for the home office and is in xyz.com domain.
    >>
    >> The other is for a specifc group and is abc.xyz.com domain.
    >>
    >> We are using SAML federaiton with WebEX and it works well when we
    >> authenticate from the xyz.com.
    >>
    >> However, when we authenitcate first from the abc.xyz.com domain the
    >> saml assertion fails.
    >>
    >>
    >> We see the following differences in the SAML assertion:
    >>
    >> When we go to the site direct, or if we have autheticated form yhr
    >> xyz.com, the AuthnContextClassRef is: (Which works)
    >> <saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:Pass
    >> wordProtectedTransport</saml:AuthnContextClassRef>
    >>
    >> When we go abc.xyz.com domain and authenticate and then go the the
    >> SP, we see (Which Fails)
    >> <saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:Pass
    >> word</saml:AuthnContextClassRef>
    >>
    >> We can set the value on the SP to only one value.
    >> Can some one explain:
    >> How the saml:AuthnContextClassRef values should be used?

    >
    > The way I understand it is that it allows you to tell the SP that you
    > have authenticated with contractX. Lets say you use a SP initiated
    > login and the SP requires that you use two factor authentication. The
    > SP wants to know that you trully authenticated with it so the SAML
    > assertion contains a statement that you have authentication with a
    > certain contract. It is up to the SP to read this element. Do
    > abc.xyz.com and xyz.com use different contracts by any chance?


    Yes, they are different contracts, but all are aceptable.
    We were able to solve this by adding both of the values for the the
    <saml:AuthnContextClassRef> on the WebEx side.
    (Seperated with a ";")

    But i am still very curious why the two different values would be presetned.
    Or even what the various values of <saml:AuthnContextClassRef> might be
    and under what condtions.
    I have not been able ot find any definition of how it is supposed to be used.


    --

    Thank You for your help!

    -jim
    Jim Willeke


  5. #5

    Re: authnContextClassRef values

    Jim Willeke wrote:


    > Yes, they are different contracts, but all are aceptable.
    > We were able to solve this by adding both of the values for the the
    > <saml:AuthnContextClassRef> on the WebEx side. (Seperated with a ";")
    >
    > But i am still very curious why the two different values would be
    > presetned. Or even what the various values of
    > <saml:AuthnContextClassRef> might be and under what condtions. I
    > have not been able ot find any definition of how it is supposed to be
    > used.


    Well...from the SAML2 spec (see
    http://docs.oasis-open.org/security/...ore-2.0-os.pdf) it
    is used to define a authentication context...i guess that can be
    interpreted in many ways...

    --
    Cheers,
    Edward

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •