Child pages
  • Configuring a Shibboleth SP for step-up authentication
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

When configuring a Shibboleth SP for step-up authentication, please refer to:
Requesting an IAQ

To populate the <samlp:RequestedAuthnContext> element in the SP's requests, the AuthnContextClassRef content setting can be used.

Content settings are properties that can be set in a number of places in the SP to associate settings with resources, commonly via the Apache ShibRequestSetting command or the<RequestMap> in shibboleth2.xml, or by passing them as parameters to "/Shibboleth.sso/Login" if the SP's lazy session feature is being used to generate requests.

Currently, this mechanism only allows for a single IAQ to be requested. To include multiple values in a request, the AuthnRequest "template" mechanism described in the SessionInitiator documentation can be used.

NB: voor een algemene beschrijving van het koppelen van een Shibboleth SP aan SURFconext, zie:
An example Apache configuration snippet where a request for a specific URL triggers a SAML request with a higher LoA:
<Location /secure>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting authnContextClassRef
        require valid-user
The resulting subset of environment variables:
[Shib-Application-ID] => default
[Shib-Session-ID] => _77421bdf5f17e10c70efb9a89aa3737e
[Shib-Identity-Provider] =>
[Shib-Authentication-Instant] => 2013-10-29T22:08:46Z
[Shib-Authentication-Method] =>
[Shib-AuthnContext-Class] => [Shib-Session-Index] => c8a493e33432686feb5cc683a9fd0c7c
[persistent-id] =>!!
  • No labels