Configuration to allow contents of metadata to affect behavior of SP
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
Motivating use-case: Before the SP requests authnContextClassRef=silver from an IdP, it is good practice to scan the configured metadata to see if the IdP has been certified at silver. However, this requires extra programming on the part of the SP developer. It would be nice if the SP software itself could be configured to add the authnContextClassRef=silver parameter automatically for those IdPs which have been certified at silver.
In broader terms, it would be nice if the SP's behavior could change based on the presence/absence/values of certain attributes in metadata.
Environment
None
Activity
Show:
Scott Cantor June 14, 2016 at 6:42 PM
Basic reference doc added.
Scott Cantor June 14, 2016 at 6:27 PM
c19edf5df0957d0d203b03b253be574eed4cc177
WS-Fed handler also consumes authnContextClassRef setting, so added the same behavior there.
Need to review for additional places to add support.
Scott Cantor June 13, 2016 at 3:34 PM
Within reason, this isn't much work to support at least some features.
At minimum, I can fall back to checking the RelyingParty layer for NameIDFormat, SPNameQualifier, authnContextClassRef, and authnContextComparison. That would be done only if they weren't set via parameter, RequestMap/setting, or explicitly on a SessionInitiator.
I think that gets us the basic use case lacking, choosing the context class to request based on IdP identity or EntityAttribute.
I don't happen to think that's the right thing to do. I would simply request what you accept, in order, and just deal with the results. I think asking federations to track what IdPs do at this level of detail isn't going to be practical. But it certainly may be within a small community, so worth supporting.
Scott Cantor April 28, 2016 at 5:50 PM
Probably won't be able to give this enough attention for 2.6.0, but I'll reschedule if need be.
Fixed
Pinned fields
Click on the next to a field label to start pinning.
Motivating use-case: Before the SP requests authnContextClassRef=silver from an IdP, it is good practice to scan the configured metadata to see if the IdP has been certified at silver. However, this requires extra programming on the part of the SP developer. It would be nice if the SP software itself could be configured to add the authnContextClassRef=silver parameter automatically for those IdPs which have been certified at silver.
In broader terms, it would be nice if the SP's behavior could change based on the presence/absence/values of certain attributes in metadata.