Child pages
  • How to request authentication contexts

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SAML authentication contexts

The XML namespaces used in the examples:

  • samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
  • saml="urn:oasis:names:tc:SAML:2.0:assertion

Example 1: An SP requests MFA

An SP requests MFA (Comparison attribute present):

...

<samlp:Status>
 <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext”/>
</samlp:Status>

Example 2: An SP prefers MFA but accepts SFA

An SP presents a list of authentication contexts in the order of preference (Comparison attribute omitted, applying the default value “exact”):

...

Note: according to the SAML 2.0 specification, an Identity Provider can present only one authentication context in the response.

OpenID Connectr acr claims

Example 1: An RP requests MFA

An RP issues a claims request, with “essential”:true qualifier as defined in [OIDC Core, section 5.5]:

...

N.B. Currently there is no standard error code to signal OP’s inability to satisfy the requested authentication context. A dedicated error code may be later published by competent specification bodies.

Example 2: An RP prefers MFA but accepts SFA

An RP issues a claims request with a list of authentication contexts in the order of preference and “essential”:true qualifier as defined in [OIDC Core, section 5.5]:

...