Supported SAML Authentication Context Classes and Strengths

  • Article

 

This topic provides information about the SAML authentication context classes that Active Directory® Federation Services (AD FS) 2.0 supports, and about how AD FS 2.0 interprets the relative strength of different authentication methods when it evaluates a requested authentication context.

SAML authentication context classes are URIs that specify authentication methods in SAML authentication requests and authentication statements. They are defined in section 3.4 of the Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 Specification (https://go.microsoft.com/fwlink/?LinkId=217497). Only a subset of the authentication context classes defined in this specification is supported by AD FS 2.0.

Supported SAML Authentication Context Classes

Authentication Method Authentication Context Class URI
User Name and Password urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Password Protected Transport urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Transport Layer Security (TLS) Client urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
X.509 Certificate urn:oasis:names:tc:SAML:2.0:ac:classes:X509
Integrated Windows Authentication urn:federation:authentication:windows
Kerberos urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

In RP-initiated sign-on, a relying party (RP) can specify the Comparison attribute on a <RequestedAuthnContext> element to indicate how the authentication context should be evaluated based on the relative strengths of the authentication context classes specified in the request and the authentication methods offered by an IdP. If no Comparison attribute is specified, a value of “Exact” is assumed. (In IdP-initiated sign-on from AD FS 2.0, the equivalent behavior is implemented by setting the Comparison property on the RequestedAuthenticationContext passed in the SignOnRequestParameters to the SignIn method.)

When processing a SAML authentication request, the interpretation of the relative strengths of the different authentication context classes included in a requested authentication context is up to the responder. AD FS 2.0 interprets the relative strength of different authentication context classes according to the order in which they are configured in the Authentication Context Order settings. These settings are exposed as the AuthenticationContextOrder property of the ServiceProperties object and can be viewed using the Get-ADFSProperties cmdlet or set using the Set-ADFSProperties cmdlet. The following shows the relative strengths of the authentication context classes set in the default Authentication Context Order settings. The classes are listed in ascending order of strength (weakest first).

urn:oasis:names:tc:SAML:2.0:ac:classes:Password  
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport  
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient  
urn:oasis:names:tc:SAML:2.0:ac:classes:X509  
urn:federation:authentication:windows  
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

The following example shows a Windows PowerShell command (and output) that lists the current Authentication Context Order settings (the context classes are listed in ascending order of strength).

PS C:\Windows\System32> Get-ADFSProperties | select-object -expandProperty AuthenticationContextOrder | select-object -Property AbsoluteUri  
  
AbsoluteUri  
-----------  
urn:oasis:names:tc:SAML:2.0:ac:classes:Password  
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport  
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient  
urn:oasis:names:tc:SAML:2.0:ac:classes:X509  
urn:federation:authentication:windows  
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

The following example shows a series of Windows PowerShell commands that can be used to set the Authentication Context Order settings. These commands set the Authentication Context Order settings to the default order; however, you can modify the commands to change the settings. For example, you can reorder the elements in the array to change the relative strengths of the context classes. Note that the first element in the array is the lowest priority setting.

PS: C:Windows\System32> $pwd = new-object system.uri("urn:oasis:names:tc:SAML:2.0:ac:classes:Password")  
PS: C:Windows\System32> $pwdtransport = new-object system.uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")  
PS: C:Windows\System32> $tls = new-object system.uri("urn:oasis:names:tc:SAML:2.0:ac:classes:TLSCLient")  
PS: C:Windows\System32> $x509 = new-object system.uri("urn:oasis:names:tc:SAML:2.0:ac:classes:X509")  
PS: C:Windows\System32> $windows = new-object system.uri("urn:federation:authentication:windows")  
PS: C:Windows\System32> $kerberos = new-object system.uri("urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos")  
  
PS: C:Windows\System32> [system.uri[]] $newURIs = $pwd, $pwdtransport, $tls, $x509, $windows, $kerberos  
  
PS: C:Windows\System32> Set-ADFSProperties -AuthenticationContextOrder $newURIs

For more information about how AD FS 2.0 processes RP-initiated sign-on requests, see Authentication Handler Overview. For more information about how to specify sign-on parameters in IdP-initiated sign-on requests, see IdpInitiatedSignOnPage Class Overview.

See Also

Microsoft.IdentityServer.Protocols.Saml.RequestedAuthenticationContext
Authentication Handler Overview
IdpInitiatedSignOnPage Class Overview