SATOSA icon indicating copy to clipboard operation
SATOSA copied to clipboard

Published 20 hours ago verified publisher icon IdentityPython

Handling of missing authentication context class

Open c00kiemon5ter opened this issue 7 years ago • 0 comments

Working on multi-factor login, I have observed that Satosa is handling requests for missing authentication context classes wrongly. If an SP asks for the authentication context class https://refeds.org/mfa, the user logs in and the authentication context class reference urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified is returned.

In the SAML2 specification SAML 2.0 Protocol Extension for Requested Authentication Context it's defined that IdP should return SAML error if the IdP or the user that logs in can't satisfy the request. Or, as it says in the specification:

If the responder is unable to satisfy the specified Authentication Context then the responder MUST return a <Response> message with a second-level <StatusCode> of urn:oasis:names:tc:SAML:2.0:protocol:NoAuthnContext.

(created on behalf of Pal; thanks for letting me know)

c00kiemon5ter avatar Sep 06 '18 14:09 c00kiemon5ter