Child pages
  • Configuring a Shibboleth SP for step-up authentication

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3


Requesting an IAQ

To populate the <samlp:RequestedAuthnContext> element in the SP's requests, the AuthnContextClassRef content setting can be used.

Content settings are properties that can be set in a number of places in the SP to associate settings with resources, commonly via the Apache ShibRequestSetting command or the<RequestMap> in shibboleth2.xml, or by passing them as parameters to "/Shibboleth.sso/Login" if the SP's lazy session feature is being used to generate requests.

Currently, this mechanism only allows for a single IAQ to be requested. To include multiple values in a request, the AuthnRequest "template" mechanism described in the SessionInitiator documentation can be used.

NB: voor een algemene beschrijving van het koppelen van een Shibboleth SP aan SURFconext, zieSee also some generic instructions for connecting a Shibboleth SP to SURFconext:
An example Apache configuration snippet where a request for a specific URL triggers a SAML request with a higher LoA:
Code Block
<Location /secure>

        AuthType shibboleth

        ShibRequestSetting requireSession 1
        ShibRequestSetting authnContextClassRef 

        ShibRequestSetting authnContextClassRef

        require valid-user



An example of the resulting subset of environment variables:
Code Block
[Shib-Application-ID] => default

[Shib-Session-ID] => _77421bdf5f17e10c70efb9a89aa3737e
[Shib-Identity-Provider] =>
[Shib-Authentication-Instant] => 2013-10-29T22:08:46Z
[Shib-Authentication-Method] =>
[Shib-AuthnContext-Class] =>
[Shib-Session-Index] => c8a493e33432686feb5cc683a9fd0c7c
[persistent-id] =>!!