Enable Autentication Context Requests at the SP-to-IdP Partnership

An SP can require information about the authentication process at the IdP so it has confidence in the assertion before granting access to resources.
An SP can require information about the authentication process at the IdP so it has confidence in the assertion before granting access to resources.
When an SP sends an authentication request, it can request specific authentication context URIs. Each URI identifies the context that the SP wants the IdP to return in the assertion.
The authentication context template at the SP defines the following information:
  • Which URIs the SP wants to receive from the IdP. For outgoing requests, the URIs in the template indicate which authentication contexts are acceptable to the SP before it allows access to the requested resource.
  • How the URIs in the request are compared to the URIs defined at the IdP.
  • How the SP uses the URIs. The SP can include URIs in the outgoing authentication request. The SP can also validate URIs in the incoming assertion response. You can configure the URI usage for both functions.
You can select a template on a per-partnership basis and multiple partnerships can use a single template.
To request that an IdP return the authentication context in an assertion, the SP can use one of the following methods:
  • Enable that request at the SP->IdP partnership using the Administrative UI. Use this method if the SP wants to request the same authentication context URIs in every request.
  • Dynamically select which AuthnContext URIs to request and the comparison operator by appending the ReqAuthnContext and CompOP query parameters to the Authentication Request URL. Using query parameters lets you determine the authncontext on a per request basis. For query parameters to take precedence, select the Query Parameter Overrides Configuration. Query parameters always take precedence over the configuration.
The following procedure describes the configuration method using the UI. We recommend you create an authentication context template first.
Follow these steps:
  1. Log in to the Administrative UI.
  2. Select the SP->IdP partnership you want to edit.
  3. Navigate to the Configure AuthnContext step in the partnership wizard.
    The configuration dialog opens.
  4. Select the Enable Authentication Context Processing check box.
  5. Complete the fields in the dialog. Note the following information:
    • If no authentication context template exists, select Create template.
    • The Comparison field describes how the URIs in the SP authentication request are compared with the URIs configured at the Identity Provider.
    • If you are selecting URIs from the Available URIs list, the available URIs reflect the URIs configured for the chosen template. If there are no predefined templates, click Create Template to configure one.
The authentication context request is included in the authentication requests sent to the Identity Provider.