Basic configuration

When configuring a Shibboleth SP for step-up authentication, please refer to:

https://spaces.internet2.edu/display/InCAssurance/Assurance+-+Service+Provider+Behavior

See also some generic instructions for connecting a Shibboleth SP to SURFconext:

https://wiki.surfnet.nl/display/surfconextdev/My+First+SP+-+Shibboleth

SURFconext Strong Authentication Specific configuration

Request authentication at a specific LoA

An example Apache configuration snippet where a request for a specific URL triggers a SAML request with LoA 2. The LoA identifiers (i.e. http://surfconext.nl/assurance/loa2) are defined in Using Levels of Assurance to express strength of authentication.

<Location /secure>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting authnContextClassRef http://surfconext.nl/assurance/loa2
        require valid-user
</Location>

An example of the resulting subset of environment variables:

[Shib-Application-ID] => default
[Shib-Session-ID] => _77421bdf5f17e10c70efb9a89aa3737e
[Shib-Identity-Provider] => https://sa-gw.surfconext.nl/authentication/metadata
[Shib-Authentication-Instant] => 2013-10-29T22:08:46Z
[Shib-Authentication-Method] => http://surfconext.nl/assurance/loa3
[Shib-AuthnContext-Class] => http://surfconext.nl/assurance/loa3
[Shib-Session-Index] => c8a493e33432686feb5cc683a9fd0c7c
[persistent-id] => https://sa-gw.surfconext.nl/authentication/metadata!https://my-sp.example.com/shibboleth!urn:collab:person:surfnet.nl:john

Page tree

Configuring a Shibboleth SP for SURFconext Strong Authentication

Basic configuration

SURFconext Strong Authentication Specific configuration

Request authentication at a specific LoA