...
In the OIDC world, requiring forced authentication amounts to setting the prompt
authentication request parameter to login
. This forces the OP to prompt the End-User for reauthentication, and return an error if unsuccessful.
Anchor | ||||
---|---|---|---|---|
|
The Authentication Context Class Reference (acr
) is similar to the SAML <AuthnContextClassRef>
construct and defines the level of authentication performed. The RP can request ACRs by adding suitable space-separated string values to the acr_values
authentication request parameter, or by adding them to an acr
requested claim.
To add ACR values to the request parameter, the RP looks at the defaultAuthenticationMethods
RelyingParty configuration option. The global policy (which you could override per OP) either passes through or maps the original SP’s requirements into acr_values
. If passed through, it is likely the upstream OP will not understand their semantics, hence a mapping list (bean) can be defined that translates between SAML requested principals and OIDC ACR values. This bean can be defined in the conf/authn/authn-comparison.xml file:
...
Expand | |||||
---|---|---|---|---|---|
| |||||
|
Requesting The ACR Claim
The requested claims hook can be used to request specific Authentication Context Class References by setting the acr
claim with suitable values. Note, however, if the downstream SP requested certain authentication contexts, these will be added to the acr
claim alongside those in the requested claims hook before being forwarded to the upstream OP (see ACR).
Anchor | ||||
---|---|---|---|---|
|
...