Translate nonexistent ACR in responses
Description
Environment
Confluence content
Activity
I’ve allowed the RP to pass empty AMR and ACR lists to the translators (currently it would not invoke the translators if no claim was present in the response).
On its own, this would allow you to override the authenticationContextClassReferenceTranslationStrategyLookupStrategy profile bean and come up with custom logic for mapping the ACR claims. The default function is ProxyAwareDefaultOIDCAuthenticationContextClassResponseLookupFunction (which is in oidc-common).
Maybe it is easier if I write the flow here. First Upstream SAML2 case
Relying party asks proxy to authenticate user with ACR “LoginHaka”. That means essentially in our vocabulary that user needs to be authenticated by IdP in Haka federation, standard password authentication is fine. This becomes now Requested Principal.
Based on this information proxy directs user first to Haka Discovery and then to selected IdP. There is RequestMapping from “LoginHaka” to empty list so there is no ACR sent to upstream Idp.
We get back from the Haka Idp and use response mapping. There is mapping from set of known ACRs back to “LoginHaka”. So if we get back “password” or “refeds mfa”, we are happy with that and map it back to “LoginHaka”..
Shibboleth machinery is happy, client asked for “LoginHaka” and it is satisfied.
Now, with OIDC upstream, in phase 3 we are not always getting back ACR value. Imagine us having ACR “LoginGoogle” (we do not) for our clients. We would direct user to authenticate to google and it would not return back any ACR. In phase 3 we are not able to translate (as we have nothing to translate)that back now to “LoginGoogle” in response mapping and authetication does not satisfy the requirement. Shibboleth machinery is not happy.
My thinking is that this would work if I could express in response mapping that nonexistent acr can be translated to “LoginGoogle”. @Philip Smart
I had not considered this use case of the ACR claim. @jlauros@csc.fi should it only be able to translate a nonexistent ACR from the OP into an ACR value it received from the SP? Otherwise, you could only map to a static ACR value, and the use case above looks like the value is dynamic and based on the incoming ACRs from the SP.
Proxies may have their own ACR vocabulary for downstream clients. ACR value may indicate for instance that “Please authenticate using InCommon federation” or “Please authenticate using OIDC Issuer X”. In the latter case, when using OIDC, there might not be any ACR value in the response from upstream OIDC OP. In this case I would need to be able to translate nonexistent ACR to “Please authenticate using OIDC Issuer X” or the authentication fails as it does not satisfy the requirement. Currenrly the OIDC RP module does not seem to be able to do that, translate nonexistent ACR value. Could we have that supported as well?