...
- The SAML standard allows multiple
AuthnContextClassRef
elements to be specified in theRequestedAuthnContext
. Currenly SURFsecureID will only look at the firstAuthnContextClassRef
element. - Specifying an
AuthnContextClassRef
other than one the of the defined authentication levels for SFO will result in an error. - The SAML standard allows a
Comparision
attribute to be added to the theRequestedAuthnContext
element. Currently SURFsecureID does not interpret the value of this attribute and behaves as if"minimum"
was specified as value for theComparison
attribute, which is a deviation of the SAML standard which specifies"exact"
as the default."minimum"
means that the authentication context in the authentication statement that is returned after a successfull successful authentication will either be the requested authentication context, or the the authentication context of a stronger (i.e. higher level) authentication. SURFsecureID currently always returns the authentication context corrsponding to the highst highest level at which the user could be authentictated.
...
An example code for using SFO with SimpleSAMLphp can be found at: https://github.com/SURFnet/Stepup-SFO-demo