[OPENAM-4103] Allow sending AuthnRequests without the RequestedAuthnContext element Created: 17/Jun/14  Updated: 20/Nov/16  Resolved: 25/May/15

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 12.0.0
Fix Version/s: 11.0.4, 12.0.3, 13.0.0

Type: Improvement Priority: Major
Reporter: Peter Major [X] (Inactive) Assignee: Mark de Reeper
Resolution: Fixed Votes: 0
Labels: EDISON, release-notes
Remaining Estimate: 0h
Time Spent: 14h
Original Estimate: 4h

Attachments: PNG File authcontext.png    
Sprint: Sprint 81 - Sustaining, Sprint 82 - Sustaining
Support Ticket IDs:
QA Assignee: Filip Kubáň [X] (Inactive)
Verified Version/s:


SiteMinder IdP unfortunately does not currently support the RequestedAuthnContext element of the SAML AuthnRequests, however OpenAM currently has no out of the box means to disable the inclusion of such elements.
In order to enhance interoperability we should introduce a setting that can prevent the addition of RequestedAuthnContext element.

To work this limitation around it is possible to implement a custom SPAdapter extension that removes the element from the constructed XML object manually.

Comment by Mark de Reeper [ 21/Apr/15 ]

Looking at adding another boolean flag to the SP extended metadata that would be true by default (i.e. to include the RequestedAuthnContext) to enable disabling sending RequestedAuthnContext as part of the AutnRequest.

Comment by Mark de Reeper [ 25/May/15 ]

Fixed in R13947, R13948 and R13949.

Added a new property to the hosted SP extended metadata called includeRequestedAuthnContext which when set to false will cause the RequestedAuthnContext to be left out of the AuthenticationRequest to the IDP, it is true by default.

The includeRequestedAuthnContext can also be passed as a parameter to spSSOInit.jsp to override the value stored in the extended metadata.

Comment by Filip Kubáň [X] (Inactive) [ 11/May/16 ]

Steps to verify:

1) Create/configure hosted SAML IDP and SP
2) Navigate to Federation-><created SP> -> Assertion content
3) Option "Include Request Authentication Context" should be present (see attached screenshot)

When checked SAML Request sent by the SP you should not contain a <RequestedAuthnContext> element.

Comment by Filip Kubáň [X] (Inactive) [ 11/May/16 ]

Verified on: OpenAM 12.0.3-RC2 Build 4dbe218a05 (2016-April-25 17:57)

Generated at Fri Jan 22 00:47:49 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.