Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Use of PasswordProtectedTransport in the request

See original GitHub issue

Hi,

I am struggling to understand how to configure pysaml2 and add the RequestedAuthnContext in my requests. I have a SP and I would need to add the following SAML assertions in my request during the login:

<samlp:RequestedAuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>

I am struggling because I cannot see a configuration to apply these assertions. I tried to implement it in different ways in the code but I cannot make it work. I believe this is possible as I can see it from here: https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/samlp.py

I can see: AUTHN_PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password" AUTHN_PASSWORD_PROTECTED = \ "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

I also saw a test here: https://github.com/IdentityPython/pysaml2/blob/f22506ed9ffb737e6e26942fa5d3f3ba851c0a87/tests/test_77_authn_context.py#L68

I just do not know how to reference that unfortunately. I have a simple configuration like this:

“service”: { “sp”: { “name”: “BLABLA”, “allow_unsolicited”: true, “want_response_signed”: false, “logout_requests_signed”: true, “endpoints”: { “assertion_consumer_service”: [“https://mywebste…”], “single_logout_service”: [[“https://mywebste…”, “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”]] } } }

Anybody knows how to perform that request using the “saml:AuthnContextClassRef”?

Thanks.

Issue Analytics

State:
Created 3 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

Ptr32Voidcommented, May 18, 2020

I solved it. I tried a few ways similar to this https://github.com/peppelinux/Django-Identity/blob/6cc304d96c5a52d4536b19cfc21d270222e57068/djangosaml2_sp/djangosaml2_sp/djangosaml2_spid/views.py#L143 but I also re-used prepare_for_authenticate and kwargs which makes the code more readable.

Thanks a lot @peppelinux

0reactions

Ptr32Voidcommented, May 17, 2020

Thanks! Yep, I took a look at it… still navigating the code and trying to apply similar structure to my code. I’ll keep you posted

Top Results From Across the Web

single sign on - SAML2 SSO: AuthnContext Class Schemas ...

RequestedAuthnContext in a request is a mean for a SP to ask the IDP to authenticate the user with a specific authentication mechanism....

SAML Authentication Requires That Users Login Twice When ...

Best practice for SSO is to only use the required authentication types. When using "User name and password", "Password Protected Transport" ...

AD FS Troubleshooting - Azure AD - Microsoft Learn

This document describes how to troubleshoot various aspects of AD FS and Azure AD.

How to modify AuthnContextClassRef in Azure AD #58524

How to change AuthnContextClassRef as PasswordProtectedTransport in ... Azure AD will send response to application and there it is going as ...

Is an authnContextClassRef of "unspecified" the same as ...

Shib-AuthnContext-Class="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport". Is this the expected behavior? I thought that if the SP requested a ...