Basic configuration
When configuring a Shibboleth SP for step-up authentication, please refer to:
See also some generic instructions for connecting a Shibboleth SP to SURFconext:
SURFconext Strong Authentication Specific configuration
Request authentication at a specific LoA
An example Apache configuration snippet where a request for a specific URL triggers a SAML request with LoA 2.
The LoA identifiers (i.e. http://surfconext.nl/assurance/loa2
) are defined in Using Levels of Assurance to express strength of authentication. Note that the identifiers are unique to the production environment. Other environments, like the pilot environment, use different identifiers.
Code Block |
---|
|
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting authnContextClassRef
< Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting authnContextClassRef
|
require
Location>An example Example of the resulting subset of environment of environment variables:
Code Block |
---|
|
_77421bdf5f17e10c70efb9a89aa3737e
|
>
[Shib-Authentication-Instant]
|
[Shib-Authentication-Method]
|
>
[Shib-AuthnContext-Class]
|
>
c8a493e33432686feb5cc683a9fd0c7c
|
> in the example above a LoA2 authentication was requested
(http://surfconext.nl/assurance/loa2), yet the user was authenticated at LoA3
(http://surfconext.nl/assurance/loa3).