You can map authentication context values between the local and remote values in an OpenID Connect or a SAML 2.0 identity provider (IdP) connection.
This optional configuration overrides how authentication context values are communicated with partners in both the authentication or authorization requests and their responses. Any values that are not defined in this configuration are passed through as-is.
As needed, you can use an asterisk, *
, to match any values, a blank
value for a scenario where the partner or the local request does not specify an
authentication value, or both.
Example
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
or
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
authentication
context. While the IdP is capable of authenticating its users using a Kerberos-based
authentication system, a proprietary identity management system, and a few internal web
portals, the authentication context values are different than what your application
supports. The authentication context values from the IdP are as follows.Authentication method | AuthnContext values |
---|---|
Kerberos-based authentication system |
KerberosAuth
|
Internal web portals |
password , portal , or
web
|
Proprietary identity management system | No authentication context information is provided |
Local | Remote |
---|---|
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
|
KerberosAuth
|
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
|
*
|
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
|
The first entry maps KerberosAuth
to
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
. The second entry
maps any authentication context values including password
and
portal
to
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
. The last entry
overrides the authentication value to
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
in the event that
the assertion does not contain any authentication context information.