Customize AuthnContext using identity mapping rule (Federation)

SAML 2.0 Identity Provider now supports customizing AuthnContextClassRef using the mapping rule.

The AuthnContextClassRef, AuthnContextDeclRef, and AuthnContextComparison are retrieved from the Authentication Request.

The STSUUSER method addContextAttribute can be used to set AuthnContextClassRef to a required value. In the example below, the AuthnContextClassRef is set to urn:oasis:names:tc:SAML:2.0:ac:classes:X509. stsuu.addContextAttribute(new Attribute("AssertionAuthnContextRef", "urn:oasis:names:tc:SAML:2.0:assertion", "urn:oasis:names:tc:SAML:2.0:ac:classes:X509"));

The AuthnContextComparison value is available at the mapping rule. The administrator can write logic in the mapping rule to decide on what “exact”, “better”, “minimum”, or “maximum” represents. The administrator can then decide the AuthnContextClassRef that needs to be sent in the SAML response.

A sample mapping rule saml20_authncontext.js is provided with samples of how these parameters is used. From the dashboard, the mapping rule is under File Downloads > federation > examples > mapping rules.


Parent topic: SAML Federations Overview