Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Current »

Request authentication at a specific LoA

An example Apache configuration snippet where a request for a specific URL triggers a SAML request with LoA 2.
The LoA identifier ( in the example below is specific for the Production environment, the Test and Pilot environments use different identifiers.

<Location /secure>
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    ShibRequestSetting authnContextClassRef
    require valid-user

Below is an example of the resulting subset of environment variables that are set by the Shibboleth SP. You can use these for authorisation purposes in your application.

[Shib-Application-ID] => default
[Shib-Session-ID] => _77421bdf5f17e10c70efb9a89aa3737e
[Shib-Authentication-Instant] => 2013-10-29T22:08:46Z
[Shib-Authentication-Method] =>
[Shib-AuthnContext-Class] =>
[Shib-Session-Index] => c8a493e33432686feb5cc683a9fd0c7c

Note that a LoA2 authentication was requested, yet the user was authenticated at LoA3.


You can only rely on the value of Shib-Authentication-Method or Shib-AuthnContext-Class when Shib-Identity-Provider is indeed the EnityID that of the SURFsecureID IdP. For Production that is, the other environments use different EntityIDs.

Note that when your shibboleth trusts other IdPs (e.g. in addition to the SURFsecureID IdP. Shibboleth will by default accept unsolicited assertions (also known as IdP-initiaded SSO). This means that an IdP can login without the SP having first created an authentication request. We recommend that you always verify that the EnityID of the IdP is the one you expect for each authentication, e.g. by verifying the value of Shib-Identity-Provider.

More info

  • No labels