In an IdP Proxy scenario with LOA defined, if the SP starts federation and requests a LOA of level 2 (for example), the IdP correctly sends an AuthnContextClassRef of level 2, but the Proxy sends an AuthnContextClassRef of level 0.
- Set up IDP Proxy configuration with LOA following information from https://wikis.forgerock.org/confluence/display/openam/SAMLv2+IDP+Proxy+Part+2.+Using+an+IDP+Finder+and+LOAs
- Verify it is working fine when starting federation with the default authN context (adapt as needed):
- Now test with LOA such as:
The root cause is with the proxy instance of AM. Debug recording and SAML tracer flow is attached to this bug report.
Note that it was working in 13.5, according to customer, but I have not tested in any other version than 188.8.131.52.
As far as I can see, the problem happens in FMSessionProvider.java - createSession, where the CTS session is created without authentication level attached to it:
When retrieving the authLevel to create its response, AM6 (as IDP Proxy) uses the CTS session and finds a authLevel value of 0. It then uses an AuthN context that corresponds to such level.