Skip to main content

Tutorial: How to require certain authentication context for the SAML authentication process

Abstract

Require certain authentication context information for the SAML authentication process on Access Server.

Overview

When you configure SAML as an authentication method for Access Server, the Access Server becomes your Service Provider (SP) with an Identity Provider (IdP) providing the user directory.

When a user authenticates, the SP requests an assertion from the IdP, which can include authentication context. You can require certain information in this context about the authentication process using AuthNContext.

Prerequisites

  • SAML is set up for Access Server and your IdP.

Requesting and obtaining authentication

Configuring Access Server, as the SP, to request AuthNContext includes the requested element(s) in the request to the IdP. The IdP then generates the assertion, with the authentication context added, and sends that to the SP. Upon successful authentication, the user logs in. The process follows this general flow:

  1. The SP sends the authentication request with the AuthNContext element.

  2. The IdP receives the request, authenticates the user, generates a user session, and validates the AuthNContext element.

  3. Upon successful authentication, the IdP includes the AuthNContext element in the assertion sent to the SP; if it isn’t successful, the IdP sends “no authncontext.”

  4. The SP completes the authentication with the assertion and the user signs in.

Set up SAML AuthNContext

The default SAML assertion sends a username and password, using the PasswordProtectedTransport class. With Access Server 2.11.1 and newer, you can use other authentication types besides username and password through AuthNContext. Examples of different authentication types include client certificates or Kerberos.

Follow these steps to indicate the auth methods allowed:

  1. Ensure you’ve set up SAML with Access Server and your IdP.

  2. Sign in to the Admin Web UI.

  3. Click Authentication > SAML.

  4. Set Send custom AuthnContext to IdP to Yes.

  5. Enter the authentication method(s) as a space-separated list in the AuthnContexts to include in the AuthNRequest text field.

Example 1. Methods you can include:

  • Password

  • PasswordProtectedTransport

  • TLSClient

  • X509

  • Kerberos



In this section: