Basic configuration
When configuring a Shibboleth SP for step-up authentication, please refer to:
See also some generic instructions for connecting a Shibboleth SP to SURFconext:
SURFconext Strong Authentication Specific configuration
Request authentication at a specific LoA
An example Apache configuration snippet where a request for a specific URL triggers a SAML request with LoA 2. The LoA identifiers (i.e.
http://surfconext.nl/assurance/loa2
) are defined in Using Levels of Assurance to express strength of authentication. Note that the identifiers are unique to the production environment. Other environments, like the pilot environment, use different identifiers.
<Location /secure> AuthType shibboleth ShibRequestSetting requireSession 1 ShibRequestSetting authnContextClassRef http://surfconext.nl/assurance/loa2 require valid-user </Location>
An example of the resulting subset of environment variables:
[Shib-Application-ID] => default [Shib-Session-ID] => _77421bdf5f17e10c70efb9a89aa3737e [Shib-Identity-Provider] => https://sa-gw.surfconext.nl/authentication/metadata [Shib-Authentication-Instant] => 2013-10-29T22:08:46Z [Shib-Authentication-Method] => http://surfconext.nl/assurance/loa3 [Shib-AuthnContext-Class] => http://surfconext.nl/assurance/loa3 [Shib-Session-Index] => c8a493e33432686feb5cc683a9fd0c7c [persistent-id] => https://sa-gw.surfconext.nl/authentication/metadata!https://my-sp.example.com/shibboleth!urn:collab:person:surfnet.nl:john
Note that in the example above a LoA2 authentication was requested (http://surfconext.nl/assurance/loa2) yet the user was authenticated at LoA3 (http://surfconext.nl/assurance/loa3).