Tagged: , ,

This topic has 6 replies, 4 voices, and was last updated 4 years, 9 months ago by [email protected].

  • Author
  • #13063

    In case of SAML based SSO, I have one important question to ask to the expert.

    OpenAM-IDP receives a <samlp:AuthnRequest> asking to use a particular <samlp:RequestedAuthnContext>
    This request also comes with a valid SSO-token

    Would OpenAM always re-authenticate the user, if the requested-authn-context in the request maps to a different authentication service/module from the one stored in the SSO-token ?


    As long as the authentication-level of requested-authn-context is same as the authentication level of the SSO-token, NO re-authentication occurs.

    Appreciate your response !!

     Peter Major

    This mostly depends on the IDPAuthnContextMapper implementation, but the default behavior is more like:
    as long as the session’s authlevel is less than the authlevel associated in the Federation configuration with the requested authncontext, a session upgrade will be carried out.


    Thanks Peter.

    Yes, there no doubt about the behaviour when levels do not match
    but in my use-case

    the auth.-level in session-token is SAME as auth-level derived by IDPAuthnContextMapper after zeroed-in the requested authn-context in saml-request with the realms’s auth-service


    the auth.-service in session-token is NOT SAME with the auth-service derived by IDPAuthnContextMapper after zeroed-in the requested authn-context in saml-request with the realms’s auth-service.

    So in this scenario, will OpenAM consider it like a traditional session-upgrade (similar to policy-advice flow) and user has re-authenticate ?


     Peter Major

    Apologies, but it is difficult to understand what you are trying to say.

    Either way, it sounds like testing your particular scenario would be the easiest way to figure out what’s going to happen.


    Hi Peter,
    I am sorry, if I confused you. Actually I tried practically but I am not getting definitive answer and there are chances that I have not isolated the use-case properly. I do not want to conclude wrongly as there could be adverse implications.

    Let me try put it a practical way.

    On the OpenAM console I have configured a SAML-IDP with 2 idp-AuthncontextClassref-Mapping
    If you see the IDP extended metadata file, you will find

    <Attribute name=”idpAuthncontextClassrefMapping”>

    As you can see both mappings are with SAME auth-level but both are mapped to difference auth-chain
    Now, first saml-request arrived at this IDP and was asking to use

    <samlp:RequestedAuthnContext Comparison=”exact”>
    <saml:AuthnContextClassRef>urn:myorg:names:tc:SAML:2.0:ac:classes:ldapauth </saml:AuthnContextClassRef>

    now idp-sso-session has been established.

    Later on, another SAML-request came and was asking to use

    <samlp:RequestedAuthnContext Comparison=”exact”>

    As you can see this time saml-request is asking for another service-chain.
    Will OpenAM go for re-authentication ?


     Peter Major

    It depends on whether the session established by the ldapauth chain actually has AuthLevel >(=?) 2. You need to check your authentication module settings.

    There is a good chance that the session upgrade logic will get better/more straightforward in future versions, but for now you’ll need to make sure that the auth level settings between federation and authentication are making sense, otherwise you can end up in a situation where your users are always reauthenticated.


    Hi Peter,

    I have a similar use case with SAML Federation.
    Let’s say I have 2 different AuthnContexts mapped to different chains:
    Context1 – Chain 1 – Auth Level 10
    Context2 – Chain 2 – Auth Level 20

    Chain 1 = LDAP module with Auth Level 10
    Chain 2 = LDAP module with Auth Level 10 + HOTP module with Auth Level 20

    If a user is already authenticated using Chain 1 and if he tries to access another application which hits Chain 2, will OpenAM automatically skip LDAP module in Chain 2 and invoke only the HOTP module? Similarly, if the user directly hits Chain 2 for the first time, will OpenAM execute LDAP module followed by HOTP?

    I am looking at session upgrade use case where different applications need different levels of security.


Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?