Versions Compared

Old Version 5

changes.mady.by.user Pieter van der Meulen

Saved on

compared with

New Version 6

changes.mady.by.user Teun Fransen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Basic configuration

When configuring a Shibboleth SP for step-up authentication, please refer to:

https://spaces.internet2.edu/display/InCAssurance/Assurance+-+Service+Provider+Behavior
See also some generic instructions for connecting a Shibboleth SP to SURFconext:
https://wiki.surfnet.nl/display/surfconextdev/My+First+SP+-+Shibboleth

SURFconext Strong Authentication Specific configuration

Request authentication at a specific LoA

An example Apache configuration snippet where a request for a specific URL triggers a SAML request with LoA 2. The LoA identifiers (i.e. http://surfconext.nl/assurance/loa2) are defined in Using Levels of Assurance to express strength of authentication. Note that the identifiers are unique to the production environment. Other environments, like the pilot environment, use different identifiers.
The LoA identifier is specific for the Production environment!

 

Code Block
languagexml
<Location /secure> AuthType shibboleth ShibRequestSetting requireSession 1 ShibRequestSetting authnContextClassRef

 

<Location /secure>
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    ShibRequestSetting authnContextClassRef 
require
    require valid-user
</
Location>
Location>

 

An example Example of the resulting subset of environment of environment variables:

 

Code Block
languagetext
[Shib-Application-ID]
=>
default
[Shib-Session-ID]
=>
_77421bdf5f17e10c70efb9a89aa3737e
[Shib-Identity-Provider]
=
>
[Shib-Authentication-Instant]
=>
2013-10-29T22:08:46Z
[Shib-Authentication-Method]
=
>
[Shib-AuthnContext-Class]
=
>
[Shib-Session-Index]
=>
c8a493e33432686feb5cc683a9fd0c7c
[persistent-id]
=
> in the example above

a LoA2 authentication was requested

(http://surfconext.nl/assurance/loa2)

, yet the user was authenticated at LoA3

(http://surfconext.nl/assurance/loa3).