Authentication context values can be mapped between the local and remote values in an OpenID Connect or a SAML 2.0 IdP connection. This optional configuration overrides how authentication context values are communicated with partners in both the authentication or authorization requests and their responses. Any values that are not defined in this configuration are passed through as-is.

As needed, you may use an asterisk (*) to match any values, a blank value for a scenario where the partner or the local request does not specify an authentication value, or both.

  1. Select the applicable IdP connection from the Service Provider menu.

    If the applicable connection is not one of the most recently edited connections, click Manage All under IdP Connections, and then select it from the IdP Connections screen.

    You may also configure authentication context overrides when you create a new IdP connection.

  2. On the Activation & Summary screen, scroll down to the Protocol Settings section, and then click Overrides.
  3. On the Overrides screen, specify the Local and Remote entry, and then click Add.
  4. Repeat the previous step to define additional mappings.

    Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Use the Delete and Undelete workflow to remove an existing entry or cancel the removal request.

  5. Click Save to complete the configuration.

    Alternatively, click Next to carry on with the rest of the connection settings.

Example

Suppose you are the SP and your target application requires either the urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos or urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified authentication context. While IdP is capable of authenticating its users using a Kerberos-based authentication system, a proprietary identity management system, and a few internal web portals, the authentication context values are different than what your application supports. The authentication context values from the IdP are as follows:
Authentication method AuthnContext values
Kerberos-based authentication system KerberosAuth
Internal web portals password, portal, or web
Proprietary identity management system No authentication context information is provided
To override the AuthnContext values from the IdP, you can configure the IdP connection with the following authentication context mappings:
Local Remote
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos KerberosAuth
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified *
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

The first entry maps KerberosAuth to urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos. The second entry maps any authentication context values (including password and portal) to urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified. The last entry overrides the authentication value to urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified in the event that the assertion does not contain any authentication context information.