shibboleth-dev - Authentication context in request map bug?
Subject: Shibboleth Developers
List archive
- From: Lukas Haemmerle <>
- To:
- Subject: Authentication context in request map bug?
- Date: Wed, 20 Feb 2008 15:50:15 +0100
- Organization: SWITCH - Serving Swiss Universities
Using a Shib 2.0RC1 IdP and SP, I tested the authentication context classes (again). After making sure, that the SP and IdP communicate over SAML2, I intended to protect one directory with the following request map:
<Path
name="test"
authType="shibboleth"
requireSession="true"
isPassive="true" />
<Path
name="secure"
authType="shibboleth"
requireSession="true"
exportAssertion="true"
authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
authnContextComparison="exact">
<AccessControl>
<AND>
<Rule
require="Shib-SwissEP-HomeOrganization">
aaitest.example.ch
</Rule>
<Rule
require="authnContextClassRef">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</Rule>
<NOT>
<Rule
require="Shib-SwissEP-HomeOrganization">
vho-switchaai.ch
</Rule>
</NOT>
</AND>
</AccessControl>
</Path>
</Path>
This works as intended except for the authenticationContextClassRef in the path element, which has no effect at all meaning no special AC class is requested in the AuthnRequest. The XMLAccessControl rule requiring the authnContextClassRef is working though.
Using
authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
authnContextComparison="exact"
in the SAML2 SessionInitiator instead, works as intended. However, I want to use this AC class only on a specified path as it is shown in the above example. I know that I can create another SessionInitiator and use this for the path (and this works as fine as well), but according to:
https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapPath and https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapper#NativeSPRequestMapper-Properties
one also can use the authnContextClassRef in a path element, right? Did I oversee something here?
Lukas
--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
,
http://www.switch.ch
- Authentication context in request map bug?, Lukas Haemmerle, 02/20/2008
- RE: Authentication context in request map bug?, Scott Cantor, 02/20/2008
- Re: Authentication context in request map bug?, Lukas Haemmerle, 02/20/2008
- RE: Authentication context in request map bug?, Scott Cantor, 02/20/2008
- Re: Authentication context in request map bug?, Lukas Haemmerle, 02/20/2008
- RE: Authentication context in request map bug?, Scott Cantor, 02/20/2008
- RE: Authentication context in request map bug?, Scott Cantor, 02/20/2008
Archive powered by MHonArc 2.6.16.