Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-780

Default v3 configuration does not properly handle authn requests with the "unspecified" AuthnContextClassRef

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.2
    • Fix Version/s: 3.2.0
    • Component/s: Authentication, SAML2
    • Labels:
      None

      Description

      As reported today on the users list: an AuthnRequest which includes

      <samlp:RequestedAuthnContext>
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>
      

      will trigger an error status with the v3 default configuration (urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext, "None of the potential authentication flows can satisfy the request" in the IdP log).

      The default configuration should be adapted to handle this case more gracefully; a possible solution consists of adding urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified to the supportedPrincipals list in the shibboleth.AuthenticationFlow bean, so that unspecified is treated as a request for password-based authn.

        Attachments

          Activity

            People

            Assignee:
            cantor.2@osu.edu Scott Cantor
            Reporter:
            zccx04fxbfekk/ldylvfqohcyf4=@https://aai-logon.switch.ch/idp/shibboleth Kaspar Brand
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 15 minutes
                1h 15m