On this page example SAML 2.0 messages are shown to illustrate how the SURFconext Strong Authentication Gateway uses SAML 2.0 to provide its functionality to Service Providers.
Requesting authentication at a specific LoA
A SP can request authentication at a specific LoA by specifying the LoA in the
AuthnRequest. Note that an SP can send an
AuthnRequest to the gateway at any time, also when a user is already logged in at the SP. This allows an SP to raise the LoA for a user that is using the service depending on the context, for instance the operation performed by the user at the SP.
The requested LoA is interpreted as a minimum LoA. Thegateway:
- Will not perform authentication below the requested low
- May perform authentication at a higher LoA level, in which case the higher level LoA will be expressed in the returned SAML
The LoA required by the SP is passed to the
AuthnContextClassRef element in a
RequestedAuthnContext element in the SAML
Note that All AuthnRequest messages must be signed be the SP using SHA-2. The SP must use the
HTTP-REDIRECT binding to submit the request. When using this binding the signature is put in HTTP request parameters, no XML-Signature is used.