Hi Rabarto, Not sure about the Shibboleth Service Provider does. I hope below documentation (Draft) will help. This will be added to WSO2 Documentation in near future.
Authentication Context Class Reference (ACR) and Authentication Method Reference (AMR) What is ACR? Authentication Context Class Reference (ACR) is an optional parameter used in SAML and OpenID Connect (OIDC) request, to provide additional information by the Service Provider to the Identity Provider(IdP), so that the IdP may enforce additional assurance on the users authentication flow. Authentication Context Class Reference is sometimes used for “Level Of Assurance”[3] in some contexts. The ACR values and its interpretation is not defined by any specification as at the moment. There are common recommended ACR values widely accepted by the industry. However you are free to define new ACR values and their meaning which fits for your purpose. Authentication Method Authentication Context Class URI Username/Password urn:oasis:names:tc:SAML:2.0:ac:classes:Password Password Protected Transport urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Transport Layer Security (TLS) Client urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient X.509 Certificate urn:oasis:names:tc:SAML:2.0:ac:classes:X509 Integrated Windows Authentication urn:federation:authentication:windows Kerberos urn:oasis:names:tc:SAML:2.0:classes:Kerberos Table 1 : Widely accepted ACR values What is AMR? Authentication Method Reference (AMR) provides some information about what authentication methods are being used to assert users authenticity. [6] AMR is also vaguely defined as “Providing information about everything happened while authenticating the user on current session” Requesting ACR by Service provider via authentication request SAML 2 The following SAML fragment can be added within SAML SSO request to request <samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:federation:authentication:windows</saml :AuthnContextClassRef> <saml:AuthnContextClassRef>pwd</saml:AuthnContextClassRef> <saml:AuthnContextClassRef>LOA2</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> Here all the following URIs are added to “ACR Values”. Please note that some are standard ACR values whereas some are custom values. - The interpretation of these values are done by the “Service Provider(Application)” configuration on WSO2 IS, which we will discuss later in this document. OAuth2 The optional parameter “acr_values” can be added to the “Authorization” request as follows. https://localhost:9443/oauth2/authorize?scope=openid&; acr_values=urn%3Afederation%3Aauthentication%3Awindows+pwd+LOA2 &response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fplayground2%2Foauth2client&client_id=EUVvhKM28RkwTQL9A52kqXnfCj8a Please note that you can send multiple values for “acr_values”. Each value needs to be separated by space(in above example, the ‘+’ character is used) Handling ACR at the WSO2 IS Easiest way to handle ACR and AMR is via “Adaptive Authentication” script. Please refer “Adaptive Authentication” documentation for more information. Accessing acr_values by Authentication Script Log.info("ACR : "+context.requestedAcr); var acr_values = context.requestedAcr; //Assigns the list of ACR values as an array. context.selectedAcr="LOA1"; //Sets your ACR value to be returned “acr_values” from OAuth2 request or “RequestedAuthnContext”s from SAML request both are translated into authentication script in the same way. (The authentication script is protocol agonistic), - The SAML list of “AuthnContextClassRef” and OIDC “acr_values” both available with “context.requestedAcr” - Assign an string value via “context.selectedAcr”, If script so desires to reply with its selected ACR. The selection of the best ACR value is left for the “Identity Administrator” - WSO2 IS has provided a convenience function which suites to majority of the cases via the function “selectAcrFrom” (see “Configuring+ACR-Based+Adaptive+Authentication”) Trying out without any application Pre-Requisite: Run the “Configuring ACR Based Adaptive Authentication <https://docs.wso2.com/display/IS570/Configuring+ACR-Based+Adaptive+Authentication>” [6] and be familiar with it. Then replace the authentication script with the following. function onLoginRequest(context) { Log.info("ACR : "+context.requestedAcr); var acr_values = context.requestedAcr; var needLevel1 = (acr_values.indexOf("LOA1") > -1); var needLevel2 = (acr_values.indexOf("LOA2") > -1); var needLevel3 = (acr_values.indexOf("LOA3") > -1); executeStep(1); if(needLevel1) { executeStep(2); context.selectedAcr="LOA1"; //Sets your ACR value to be returned } if(needLevel2) { executeStep(3); context.selectedAcr="LOA2"; } if(needLevel3) { executeStep(4); context.selectedAcr="LOA3"; } } Please note that the following instructions are given to quickly try out the case manually, without using any application. These calls and response handling should be done by the “Service Provider” (the application) itself. 1. Initiate the authentication flow https://localhost:9443/oauth2/authorize?response_type=code&scope=openid&client_id= <YOUR_CLIENT_ID>&redirect_uri= http://localhost:8080/playground2/oauth2client&acr_values=<ACR_VALUES> Sample https://localhost:9443/oauth2/authorize?response_type=code&scope=openid&client_id=EUVvhKM28RkwTQL9A52kqXnfCj8a&redirect_uri=http://localhost:8080/playground2/oauth2client&; acr_values=LOA2+pwd It will redirect to something like this on the browser http://localhost:9764/playground2/oauth2client?code=e1934548d0a0883dd5734e24412310 Now copy the code (e.g.. e1934548d0a0883dd5734e24412310 on above). This will later needs to be used in place of “YOUR_AUTHORIZATION_CODE” 1. Get the access token and ID token by issuing curl as following Sample command: curl -v -X POST --basic -u YOUR_CLIENT_ID:YOUR_CLIENT_SECRET -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "client_id=YOUR_CLIENT_ID&grant_type=authorization_code&code=YOUR_AUTHORIZATION_CODE&redirect_uri= https://localhost/callback"; https://localhost:9443/oauth2/token You will get a response like following {"access_token":"1b87d316-a107-3174-a71d-ac438a54719b","refresh_token":"60a66d57-0e48-3896-98e7-00213acee104","scope":"openid","id_token":" eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiNk9Yd2Z4SmFUV1lDNTZSY2NFaFNKZyIsImF1ZCI6IkVVVnZoS00yOFJrd1RRTDlBNTJrcVhuZkNqOGEiLCJhY3IiOiJMT0EyIiwiY19oYXNoIjoibERqOW5paFpHU1VtZ05tel9seHhYQSIsInN1YiI6ImFkbWluIiwibmJmIjoxNTQ4Mzk2NDEzLCJhenAiOiJFVVZ2aEtNMjhSa3dUUUw5QTUya3FYbmZDajhhIiwiYW1yIjpbInB3ZCIsImh3ayJdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJleHAiOjE1NDg0MDAwMTMsImlhdCI6MTU0ODM5NjQxM30.DIf0aP7pa2bPD2ViGXpdddnJi8d6uwfH63gjo5td0g9J0sKeTTahDfYIupj6hGCGyHXzvo40pyDk1VHgl-wY_8im6_fpFbN_56UMSClfRhkY9MqwHn1-ekp3cz9dkPa1eXJFjBMasdZ5nXFkXhGHujfTETClzbHJIJmYSFfPEASHC99ZUN2hTuWM27xH-4gvW6J4eJol_RO4nENhexFUC1y3fk9hOzyKieYGduow_cC8myzfwcgFnnZ1FEZq1ODgHGa4isldUnYcM7Hjh-egmhby6a9L45Ytkvb4Jt-xPqyi2fskDIrg4IgdwWQXbFnNadP3Ifjyhnbak6wjSOPkHw ","token_type":"Bearer","expires_in":2554} Copy the id_token value (highlighted above) and perform BASE64 decode. Tip: You may use “jwt.io” for decoding the id_token The id_token (Base64 decoded) will contain something like following { "at_hash": "tUx0jJwYLku_1X9Ncb3F2w", "aud": "EUVvhKM28RkwTQL9A52kqXnfCj8a", "c_hash": "gx4o-kX3w_YjM6lbVU5OoQ", "sub": "admin", "acr": "LOA2", "nbf": 1548388521, "azp": "EUVvhKM28RkwTQL9A52kqXnfCj8a", "amr": [ "DemoFaceIdAuthenticator", "BasicAuthenticator", "DemoFingerprintAuthenticator" ], "iss": "https://localhost:9443/oauth2/token";, "exp": 1548392121, "iat": 1548388521 } Translating AMR values to external form You will see that “AMR” values returned are the names of the authenticators involved. Here “DemoFaceIdAuthenticator” is not according to proposed AMR values [4]. These values can be translated with server wide configuration. 1. Open <IS_HOME>/repository/conf/identity/identity.xml 2. Add Following fragment in the root level (i.e. at the <Server> level) <AuthenticationContext> <MethodRefs> <MethodRef uri="pwd" method="BasicAuthenticator" /> <MethodRef uri="fpt" method="DemoFingerprintAuthenticator" /> <MethodRef uri="user" method="DemoFaceIdAuthenticator" /> <MethodRef uri="hwk" method="DemoHardwareKeyAuthenticator" /> <MethodRef method="AuthenticatorToBeHiddenFromAMR" xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; /> </MethodRefs> </AuthenticationContext> - Here the “uri” should be the one suggested by the draft spec [4] or the value you will like to have as the “amr” in the “id_token”. - You can add attribute “xsi:nil="true" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"; to prevent the relevant AMR available on the id_token if necessary. 1. Restart the server. Generate new token following the previous steps. You will notice that the “id_token” has been changed to something like following. { "at_hash": "6OXwfxJaTWYC56RccEhSJg", "aud": "EUVvhKM28RkwTQL9A52kqXnfCj8a", "acr": "LOA3", "c_hash": "lDj9nihZGSUmgNmz_lxxXA", "sub": "admin", "nbf": 1548396413, "azp": "EUVvhKM28RkwTQL9A52kqXnfCj8a", "amr": [ "pwd", "hwk", “user” ], "iss": "https://localhost:9443/oauth2/token";, "exp": 1548400013, "iat": 1548396413 } Frequently asked questions (FAQ) 1. Can I define my own URI such as “http://my.own.org.wso2.org/some/ref” as the ACR? Yes. You are fee to define your own URI for any ACR value. This ACR value must be agreed between the application (Service Provider) and the IdP (IS). You can configure this URI in the adaptive authentication script and evaluate as per your requirement. Note: You need to send the URI encoded with “URL encoding” when you send it via the HTTP URL. 1. Can I define my own URI such as “http://my.own.org.wso2.org/some/ref” as the AMR? Yes. The any internal representation such as “BasicAuthenticator” available in AMR array can be translated to any of URI of your choice. This is a system-wide configuration. Please see “Translating AMR values to external form” References: [1] “Authentication Method Reference Values“: https://tools.ietf.org/html/rfc8176 [2] “Entity authentication assurance framework” : https://www.iso.org/standard/45138.html [3] “Level Of Assurance” : https://developer.mobileconnect.io/level-of-assurance [4] “AMR VAlues” : https://tools.ietf.org/html/draft-ietf-oauth-amr-values-04 [5] “Authentication Methods” : https://ldapwiki.com/wiki/Authentication%20Method [6] “Configuring ACR Based Adaptive Authentication” : https://docs.wso2.com/display/IS570/Configuring+ACR-Based+Adaptive+Authentication On Wed, Jan 16, 2019 at 3:35 PM roberto palmarin <[email protected]> wrote: > Hi everyone, > I have a shibboleth service provider where one Location is to protect with > username and password and another Location is to protect with client > certificate. > > On the SP side, I have the possibility to modify the different > authnContextClassRef parameter for the two Locations. > IdP side how and what should I configure? I tried to use ws02 adaptive > authentication but I can't read these parameters. can someone help me? > > More generally, is possible to define authentication levels? A user who > is authenticated with his own certificate, when access to another service > that requires a lower level (username and password) does not have to do > anything. > Vicevera if already authenticated with username and password must be > forced to authenticate with the certificate when access to a service that > require a higer level of authentication! > > > Thank's > Roberto > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
