question

test-1513 avatar image
0 Votes"
test-1513 asked ·

How to configure AuthnContext for SAML Response in Azure AD

How to configure AuthContext for SAML Response in Azure AD<samlp:Response
Destination="https://iam-client-test.us-east.philips-healthsuite.com/authorize/saml2/Consumer/metaAlias/sp-src-sts";
ID="_551f33a7-0948-4d5f-8d94-8f1a6429b6a6" InResponseTo="s26391981fd28232f9e4355773a49f3d1f9dd4673b"
IssueInstant="2020-04-30T06:17:47.297Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/bf70d2cc-3261-4051-8a37-376cb59280e1/</Issuer>;
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<Assertion ID="_c3de3e6b-a4fe-4eba-b7bf-824ef604ec00" IssueInstant="2020-04-30T06:17:47.297Z"
Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://sts.windows.net/bf70d2cc-3261-4051-8a37-376cb59280e1/</Issuer>;
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">;
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>;
<Reference URI="#_c3de3e6b-a4fe-4eba-b7bf-824ef604ec00">
<Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>;
<DigestValue>AE98Z9l1LAw3HmxABYmPF368aIAKhuNI4Au+pO2ONhE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>CLuYTa33mvmMbDIdc2O5K74mKk0SGmzNOKzRTIaonRkhqBuB4cjP0FAOHBX3DBGdR1b+S/HQcV5Hi3VI9KYXaLCQ4VmgLK5qFBC/MNUwtwx5pqxFD2V5xvUHTjnt/EWHMqm2Byg3HFoudy9T+ZY+w0Y85XQYRm7BNhFNeWlj2o1+luDicfcCHPSbmdwp1u/OaU3r8dzTiQi3yT5Ix80ejhZTKr2GBcmdZzifvwN6OutaKFxNbh1bzEp/Bu1RTkYuxJ5G5EmQpCmwkks8ms5CcTptf0fA4HxmUWjoGkRGdy+Nsa97TjAVAq2hQ6PAzlZ4g7sYCXXz17ETAPHaYSA+6Q==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC8DCCAdigAwIBAgIQU/NtUWyxnLVDrtUaAoMYwDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMDA0MDEwNzEzNTJaFw0yMzA0MDEwNzEzNTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtyqne3kGevrHNjW17NNtIkekiraNEd3281sj9g1zt40KF9+r6J4FcPW63JeYib2IMoef0KeD7BJhXmzs7/zjopsncgLPrjpoTGPaQesxvSbayfYitr42wuqWWT0cvR0lRcHXuirl/34fGtv65UQxkS6wOEvAy5WSQoeSq/MT1uQtJuUIk1fuOdQzsrAZ5Ij7sceurUW+Q8c8+byKMVpIfnvulywMQCBR0Y9zPb7n7tkwFJPa4cAm+EiD5KUXZD4S+ac+MI7jBxCz0vMguqZ1VRWqvDXse8BxGBZvWkCAcUsKtuHzCdE1mDgN6CvORKz/pvPT0iZuWYvhqFltM9ULXQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCT/wOq507Kc2hifoX0mOE026TRtB9mgDHgNTb6f/YN6htMNpfjzQ1TmF1KTkMmT/L1saBntgW0AheliE4b9K5lzHe2ZM/Piq3GLCo1gdu3SqvuHJbj/VfIrMQA+mn/j2Sy/CBnD3VS3VfChye39k7RabXNtm62z5IH9dFJOZrGQbf/1afZwN8QKq/IcVx4XFKGVJyujg/C07Bk3xLrzzwxwDwIbEU280hkDLLcLh+G/uAEEHLePTrzjBJnSeeAHat/5mBBMAafHEQTipkKFWiP+3jtHltP8iTVREukiLzQYEl6IYdIjlBebpfYMcEm4zSvIpcdBAFsN5GoM8GmkQsd</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="sp-src-sts">N8kHZrWb-2tpYeslSb3M_HraTCZeAK-xZdoolFKUIbs</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="s26391981fd28232f9e4355773a49f3d1f9dd4673b"
NotOnOrAfter="2020-04-30T07:17:47.126Z"
Recipient="https://iam-client-test.us-east.philips-healthsuite.com/authorize/saml2/Consumer/metaAlias/sp-src-sts"/></SubjectConfirmation>;
</Subject>
<Conditions NotBefore="2020-04-30T06:12:47.126Z" NotOnOrAfter="2020-04-30T07:17:47.126Z">
<AudienceRestriction>
<Audience>sp-src-sts</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">;
<AttributeValue>bf70d2cc-3261-4051-8a37-376cb59280e1</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">;
<AttributeValue>33641d6a-24f8-4421-be51-82433a15f934</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">;
<AttributeValue>test</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">;
<AttributeValue>https://sts.windows.net/bf70d2cc-3261-4051-8a37-376cb59280e1/</AttributeValue>;
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">;
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>;
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>;
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">;
<AttributeValue>test</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">;
<AttributeValue>test</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">;
<AttributeValue>test@srcco.onmicrosoft.com</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2020-04-06T07:02:17.820Z"
SessionIndex="_c3de3e6b-a4fe-4eba-b7bf-824ef604ec00">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered ·

You need to use RequestedAuthnContext element to specify the desired authentication methods and you need to add AuthnContextClassRef values such as urn:oasis:names:tc:SAML:2.0:ac:classes:Password.

So, your SAML authentication request would look like below:

 <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7171b0b2-19f2-4ba2-8f94-24b5e56b7f1e" IssueInstant="2014-01-30T16:18:35Z" Version="2.0" AssertionConsumerServiceIndex="0" >
       <saml:Issuer>urn:federation:MicrosoftOnline</saml:Issuer>
        <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
         <samlp:RequestedAuthnContext Comparison="exact">
         <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
         </samlp:RequestedAuthnContext>
 </samlp:AuthnRequest>

Please refer to the documentations -

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@test-1513 Please let me know if you find above reply useful. If yes, do click on 'Mark as answer' link in above reply.

0 Votes 0 · ·