PingFederate Server

Overriding authentication context in an IdP connection

You can map authentication context values between the local and remote values in an OpenID Connect or a SAML 2.0 identity provider (IdP) connection.

About this task

This optional configuration overrides how authentication context values are communicated with partners in both the authentication or authorization requests and their responses. Any values that are not defined in this configuration are passed through as-is.

As needed, you can use an asterisk, *, to match any values, a blank value for a scenario where the partner or the local request does not specify an authentication value, or both.

Steps

  1. Go to Authentication → Integration → IdP Connections.

  2. Click the name of the connection to open it in the IdP Connection window.

  3. On the Activation & Summary tab, scroll down to the Protocol Settings section, then click Overrides.

  4. On the Overrides tab, specify the Local and Remote entry, then click Add.

  5. Repeat the previous step to define additional mappings.

    Click Edit, Update, or Cancel to make or undo a change to an existing entry. Click Delete or Undelete to remove an existing entry or cancel the removal request.

  6. Click Save to complete the configuration.

    Alternatively, click Next to carry on with the rest of the connection settings.

ExampleExample

Suppose you are the service provider (SP) and your target application requires either the urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos or urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified authentication context. While the IdP is capable of authenticating its users using a Kerberos-based authentication system, a proprietary identity management system, and a few internal web portals, the authentication context values are different than what your application supports. The authentication context values from the IdP are as follows.

Authentication method AuthnContextvalues

Kerberos-based authentication system

KerberosAuth

Internal web portals

password, portal, or web

Proprietary identity management system

No authentication context information is provided

To override the AuthnContext values from the IdP, you can configure the IdP connection with the following authentication context mappings.

Local Remote

urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

KerberosAuth

urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

*

urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

The first entry maps KerberosAuth to urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos. The second entry maps any authentication context values including password and portal to urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified. The last entry overrides the authentication value to urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified in the event that the assertion does not contain any authentication context information.