Versions Compared

Old Version 117

changes.mady.by.user Philip Smart

Saved on

compared with

New Version 118

changes.mady.by.user Philip Smart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In the OIDC world, requiring forced authentication amounts to setting the prompt authentication request parameter to login. This forces the OP to prompt the End-User for reauthentication, and return an error if unsuccessful.

Anchor
ACR
ACR
Authentication Context Class Reference

The Authentication Context Class Reference (acr) is similar to the SAML <AuthnContextClassRef> construct and defines the level of authentication performed. The RP can request ACRs by adding suitable space-separated string values to the acr_values authentication request parameter, or by adding them to an acr requested claim.

To add ACR values to the request parameter, the RP looks at the defaultAuthenticationMethods RelyingParty configuration option. The global policy (which you could override per OP) either passes through or maps the original SP’s requirements into acr_values. If passed through, it is likely the upstream OP will not understand their semantics, hence a mapping list (bean) can be defined that translates between SAML requested principals and OIDC ACR values. This bean can be defined in the conf/authn/authn-comparison.xml file:

...

Expand
titleExample requested individual claims script (statically adds claims)
Code Block
languagexml
     <bean id="shibboleth.authn.oidc.rp.RequestedClaimsHook" parent="shibboleth.Functions.Scripted" 
        factory-method="inlineScript"
        p:inputType="org.opensaml.profile.context.ProfileRequestContext"
        p:outputType="com.nimbusds.openid.connect.sdk.OIDCClaimsRequest">
        <constructor-arg>
        <value>
        <![CDATA[
            var requestedClaims =  new com.nimbusds.openid.connect.sdk.OIDCClaimsRequest()
                .withIDTokenClaimsRequest(new com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest().add(new com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest.Entry("given_name")))
                .withUserInfoClaimsRequest(new com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest().add(new com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest.Entry("family_name")));
            requestedClaims;
         ]]>
        </value>
    </constructor-arg>   
   </bean>

Requesting The ACR Claim

The requested claims hook can be used to request specific Authentication Context Class References by setting the acr claim with suitable values. Note, however, if the downstream SP requested certain authentication contexts, these will be added to the acr claim alongside those in the requested claims hook before being forwarded to the upstream OP (see ACR).

Anchor
RequestObject
RequestObject
Request Object

...