Enable Authentication Context Processing at the Local IdP Partnership

The IdP can obtain the authentication context for an assertion in two ways:
sm1252sp1
The IdP can obtain the authentication context for an assertion in two ways:
  • Use a predefined authentication class
    Specify a URI for the authentication class and ignore the context request from the SP. A hard-coded entry can act as the default authentication context for IdP-initiated single sign-on.
  • Detect the authentication class automatically
    The system automatically detects the authentication context using the authentication context template.
    The IdP uses the template even if the authentication request from the SP does not include the <RequestedAuthnContext> element. The presence of the element triggers extra evaluation by the IdP and constrains the choices of what the IdP puts in the assertion.
    You can find more information about the flow of authentication context processing.
Follow these steps:
  1. Navigate to the SSO and SLO step in the IdP->SP partnership wizard.
  2. In the Authentication section, specify how to obtain the authentication context. Use a predefined authentication class or an automatically detected class with an authentication context template.
  3. Follow the steps for the method chosen in the previous step:
    To include a predefined class in the assertion, select a URI from the Authentication Class pull-down menu.
    To include a class from the session context and a template, select a template from the Authentication Context Template field or click Create Template.
  4. (Optional). Depending on how you obtain the authentication context, you can also select the Ignore RequestedAuthnContext check box.
The following table shows how the Configure AuthnContext and the Ignore RequestedAuthnContext settings work together:
ConfigureAuthnContext
Ignore Requested-AuthnContext
SP
requestsAuthnContext
Result
Predefined Class
Selected
Yes
IdP ignores the <RequestedAuthnContext> and uses the defined value in the assertion.
Predefined Class
Selected
No
IdP returns the defined value in the assertion by default.
Predefined Class
Not selected
Yes
Transaction fails because the IdP is not configured to handle the authentication context request.
The IdP returns an error message to the SP.
Predefined Class
Not selected
No
IdP returns the defined class value in the assertion by default.
Automatically Detect Class
Selected
Yes
IdP compares the protection level for the authentication scheme against the authentication
context template and returns the matching authentication URI in the assertion. The IdP
ignores the values in the SP request.
Automatically Detect Class
Selected
No
IdP compares the protection level for the authentication scheme against the authentication
context template and returns the matching authentication URI in the assertion. The IdP
ignores the values in the SP request.
Automatically Detect Class
Not selected
Yes
IdP compares the protection level against the authentication context class that the SP sends.
The IdP uses the authentication context template to determine the authentication URI
it places in the assertion.
Automatically Detect Class
Not selected
No
IdP compares the protection level for the authentication scheme against the
authentication context template and returns the matching authentication
URI in the assertion.