Forum Discussion

Gabriel_V_13146's avatar
Gabriel_V_13146
Icon for Cirrus rankCirrus
Apr 15, 2014

SAML AuthContextClassRef

Hello all,

 

using SAML SSO, in the SAML messages there's an element AuthContextClassRef, where a service provider can ask the identity provider to use certain authentication method and vice versa, the IdP pass back information how the user is authenticated (Password, X509, TLS, OTP, ..).

 

The F5 APM (BIGIP-11.4.1-plus-hf2.14-build2) stores the returned information in the user session (session.saml.last.authNContextClassRef). Using the F5 as SP, the authentication context returned from IdP is stored in the access policy history session.saml./Common/saml_policy_act_saml_auth_ag.authNContextClassRef. So the authentication policy flow can check how the user is authenticated (some application requires to use strong authentication).

 

Question: Is it possible to set the authContextClassRef before invoking the SAML AAA (IdP) server? So the authContextClassRef would be present already in the request.

 

Have fun Gabriel

 

BIG-IP Access Policy Manager (APM)
saml
security
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Apr 15, 2014

    Unfortunately, it's not possible today. I strongly encourage you to open a case with F5 support and ask it to be linked to bug id 445569 to track interest and demand.

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Apr 15, 2014

    Unfortunately, it's not possible today. I strongly encourage you to open a case with F5 support and ask it to be linked to bug id 445569 to track interest and demand.

     

    • Gabriel_V_13146's avatar
      Gabriel_V_13146
      Icon for Cirrus rankCirrus
      Apr 15, 2014
      Thank you. At least we know where are the boundaries, what we can count with :)
    • Mattias_Anderss's avatar
      Mattias_Anderss
      Icon for Nimbostratus rankNimbostratus
      Mar 19, 2015
      This is a year old post, any update on this? We currently on 11.6 and we cannot find a way to modify authNContextClassRef. Is there any work around with iRules to set this value?
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Apr 15, 2014

    Unfortunately, it's not possible today. I strongly encourage you to open a case with F5 support and ask it to be linked to bug id 445569 to track interest and demand.

     

    • Gabriel_V_13146's avatar
      Gabriel_V_13146
      Icon for Cirrus rankCirrus
      Apr 15, 2014
      Thank you. At least we know where are the boundaries, what we can count with :)
    • Mattias_Anderss's avatar
      Mattias_Anderss
      Icon for Nimbostratus rankNimbostratus
      Mar 19, 2015
      This is a year old post, any update on this? We currently on 11.6 and we cannot find a way to modify authNContextClassRef. Is there any work around with iRules to set this value?