Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9083

DefaultIDPAuthnContextMapper selects highest auth-level configured

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 13.0.0
    • Fix Version/s: 13.5.1, 14.0.0
    • Component/s: SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 32
    • Story Points:
      5
    • Support Ticket IDs:

      Description

      Configuring the following authContext mapping on the IdP

      <Attribute name="idpAuthncontextClassrefMapping">
                  <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|1|authlevel=1|default</Value>
                  <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI|100|authlevel=100|</Value>
                  <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient|10|authlevel=10|</Value>
              </Attribute>
      

      and having configured auth-instance like

      LDAP -> authlevel '1'
      Cert -> authlevel '10'
      SmartCard -> authlevel '100'

      The following SAML AuthnRequest

      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                          ID="s2af5058a167e5becb61f8e171db8e1c16fcf3bcf6"
                          Version="2.0"
                          IssueInstant="2016-06-13T07:14:01Z"
                          Destination="http://openam1300.test.xyz:8080/openam/SSORedirect/metaAlias/idp"
                          ForceAuthn="false"
                          IsPassive="false"
                          ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                          AssertionConsumerServiceURL="http://tc7.doit.org:8888/fedlet1102//fedletapplication"
                          >
          <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">Fedlet</saml:Issuer>
          <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                              Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                              SPNameQualifier="Fedlet"
                              AllowCreate="true"
                              />
          <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                       Comparison="minimum"
                                       >
              <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient</saml:AuthnContextClassRef>
          </samlp:RequestedAuthnContext>
      </samlp:AuthnRequest>
      

      Would make OpenAM cause to trigger auth-level based auth for level '100', never for level '10'.

      Excerpt from debug log ...

      libSAML2:06/13/2016 09:21:29:243 AM CEST: Thread[http-nio-8080-exec-2,5,main]: TransactionId[7d9ee254-57e1-4a0f-abb3-189b0f2a9a7c-1238]
      IDPSSOFederate.redirectAuthentication:  authString= authlevel=100
      libSAML2:06/13/2016 09:21:29:243 AM CEST: Thread[http-nio-8080-exec-2,5,main]: TransactionId[7d9ee254-57e1-4a0f-abb3-189b0f2a9a7c-1238]
      IDPSSOFederate.redirectAuthentication:  New URL for authentication: /UI/Login?realm=/&forward=true&spEntityID=Fedlet&authlevel=100&goto=%2FSSORedirect%2FmetaAlias%2Fidp%3FReqID%3Ds2af5058a167e5becb61f8e171db8e1c16fcf3bcf6%26index%3Dnull%26acsURL%3Dhttp%253A%252F%252Ftc7.doit.org%253A8888%252Ffedlet1102%252F%252Ffedletapplication%26spEntityID%3DFedlet%26binding%3Durn%253Aoasis%253Anames%253Atc%253ASAML%253A2.0%253Abindings%253AHTTP-POST
      libSAML2:06/13/2016 09:21:29:243 AM CEST: Thread[http-nio-8080-exec-2,5,main]: TransactionId[7d9ee254-57e1-4a0f-abb3-189b0f2a9a7c-1238]
      

      Although this might be according to SAML 2.0 core spec 3.3.2.2.1 I tend to say it's not the indented behaviour as users which can only satisfy TLSClient but not SmartCard can never authenticate.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: