How to disable RequestedAuthnContext in SAML request to IDP?

By: Maniganda Prakash Kannan Account Admin 10 Dec 2018 at 10:22 a.m. CST

3 Responses
Maniganda Prakash Kannan gravatar
SAML request xml to Siteminder fails due to `RequestedAuthnContext` field, how to disable this? #### <u>With `RequestedAuthnContext` - Request is failing in Siteminder:</u> ``` <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest ID="" Version="2.0" IssueInstant="" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="" Destination=""> <saml:Issuer>https://gtwtdlapfedv01.siteminder.com</saml:Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/> <samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> ``` #### <u>Without `RequestedAuthnContext` - Request is successful in Siteminder:</u><br> ------------ Per below link, `disableRequestedAuthnContext` property can be set to `true` to disable generation of `RequestedAuthnContext` field. https://github.com/bergie/passport-saml/tree/greenkeeper/initial Added `disableRequestedAuthnContext` in <u>passport-saml-config.json</u>, but not effective, so temporarily commented the code which generates the the field RequestedAuthnContext in `saml.js` under <u>/opt/gluu/node/passport/node_modules/passport-saml/lib/passport-saml</u>, SAML request is getting generated without `RequestedAuthnContext`.<br><br> #### <u>passport-saml-config.json for reference:</u> ``` "siteminder": { "entryPoint": "https://fedtest.gbt.gbtad.com/affwebservices/public/saml2sso", "issuer": "https://gtwtdlapfedv01.siteminder.com", "identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "logo_img":"", "enable":"true", "disableRequestedAuthnContext":true, "cert":"", "skipRequestCompression": false, "reverseMapping": { "email" : "email", "username":"email", "displayName": "name", "id": "NameID", "name": "name", "givenName":"firstName", "familyName": "lastName", "provider" :"issuer" } } ```
Rhel 7.5
closed

Answers

By Aliaksandr Samuseu staff 10 Dec 2018 at 12:53 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Maniganda. IMO, it's a good candidate for future enhancement. I've asked our Passport developer to have a look at it. Let us do some research to see what we can do to resolve your issue at the moment, still.

By Jose Gonzalez staff 10 Dec 2018 at 6:27 p.m. CST

Copy
Jose Gonzalez gravatar
Hi Maniganda, With regard to the parameters list found [here](https://github.com/bergie/passport-saml/tree/master#config-parameter-details), not all of them can be supplied directly in `passport-saml-config.json` in this moment, for instance: - additionalParams - acceptedClockSkewMs - attributeConsumingServiceIndex - disableRequestedAuthnContext - authnContext - validateInResponseTo (always `true`) - cacheProvider - passReqToCallback (always `true`) - idpIssuer - logoutUrl - additionalLogoutParams - logoutCallbackUrl To workaround your particular problem you can do the following (changing the code of the underlying library `passport-saml` is not ideal): Add a property `disableRequestedAuthnContext` to passport json file, like this: ``` "disableRequestedAuthnContext" : true, ``` in `/opt/gluu/node/passport/server/auth/saml.js` add the following at [line 55](https://github.com/GluuFederation/gluu-passport/blob/version_3.1.4/server/auth/saml.js#L55): ``` if (objectJSON.hasOwnProperty('disableRequestedAuthnContext')) { strategyConfigOptions.issuer = objectJSON['disableRequestedAuthnContext']; } ``` ... and restart passport.

By Maniganda Prakash Kannan Account Admin 11 Dec 2018 at 10:13 a.m. CST

Copy
Maniganda Prakash Kannan gravatar
Thanks for suggesting a better approach.<br> Though a typo has to be corrected in the solution, it should be ``` if (objectJSON.hasOwnProperty('disableRequestedAuthnContext')) { strategyConfigOptions.disableRequestedAuthnContext = objectJSON['disableRequestedAuthnContext']; } ```

Post an answer