You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Basic configuration

When configuring a Shibboleth SP for step-up authentication, please refer to:

See also some generic instructions for connecting a Shibboleth SP to SURFconext:

SURFconext Strong Authentication Specific configuration

Request authentication at a specific LoA

An example Apache configuration snippet where a request for a specific URL triggers a SAML request with LoA 2. The LoA identifiers (i.e. http://surfconext.nl/assurance/loa2) are defined in Using Levels of Assurance to express strength of authentication. Note that the identifiers are unique to the production environment. Other environments, like the pilot environment, use different identifiers.

 

<Location /secure>
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    ShibRequestSetting authnContextClassRef http://surfconext.nl/assurance/loa2
    require valid-user
</Location>

 

An example of the resulting subset of environment variables:

 

[Shib-Application-ID] => default
[Shib-Session-ID] => _77421bdf5f17e10c70efb9a89aa3737e
[Shib-Identity-Provider] => https://sa-gw.surfconext.nl/authentication/metadata
[Shib-Authentication-Instant] => 2013-10-29T22:08:46Z
[Shib-Authentication-Method] => http://surfconext.nl/assurance/loa3
[Shib-AuthnContext-Class] => http://surfconext.nl/assurance/loa3
[Shib-Session-Index] => c8a493e33432686feb5cc683a9fd0c7c
[persistent-id] => https://sa-gw.surfconext.nl/authentication/metadata!https://my-sp.example.com/shibboleth!urn:collab:person:surfnet.nl:john

Note that in the example above a LoA2 authentication was requested (http://surfconext.nl/assurance/loa2) yet the user was authenticated at LoA3 (http://surfconext.nl/assurance/loa3).

 

  • No labels