Add the vot to the SAML response when it is used as an AuthnContext for SAML#10224
Merged
Add the vot to the SAML response when it is used as an AuthnContext for SAML#10224
vot to the SAML response when it is used as an AuthnContext for SAML#10224Conversation
… for SAML In #10178 we added the ability for SAML service providers to make a request with a vector of trust in the AuthnContext. When a SAML SP does this the vector of trust that is used for the authentication transaction should be reflected to the SP in the SAML response. The authentication context appears in 2 places in the SAML request: 1. In the authn context for the entire transaction: ```xml <AuthnStatement AuthnInstant="2024-01-01T00:00:00" SessionIndex="_abc-123-def-456"> <AuthnContext> <AuthnContextClassRef>A1.B2.C3</AuthnContextClassRef> </AuthnContext> </AuthnStatement> ``` 2. In the attribute statement. With ACR values these appeared as seperated AAL and IAL nodes. For VTRs they appear in a single VTR node: ```xml <AttributeStatement> <!-- ... --> <Attribute Name="vot" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="vot"> <AttributeValue>A1.B2.C3</AttributeValue> </Attribute> </AttributeStatement> ``` Making the VoT appear like this required changes in 2 places: 1. In the SAML controller the correct `authn_context` value was passed to the `#encode_response` method. This is a method from the `18f/saml_idp` gem which is overriden in `SamlIdpController`. 2. The `AttributeAsserter` was modified to recognized a VTR request and add the correct values to the `AttributeStatement` node in the SAML response. changelog: Internal, SAML, VTR support was added to SAML Response
matthinz
approved these changes
Mar 8, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In #10178 we added the ability for SAML service providers to make a request with a vector of trust in the AuthnContext. When a SAML SP does this the vector of trust that is used for the authentication transaction should be reflected to the SP in the SAML response.
The authentication context appears in 2 places in the SAML request:
In the authn context for the entire transaction:
In the attribute statement. With ACR values these appeared as seperated AAL and IAL nodes. For VTRs they appear in a single VTR node:
Making the VoT appear like this required changes in 2 places:
authn_contextvalue was passed to the#encode_responsemethod. This is a method from the18f/saml_idpgem which is overriden inSamlIdpController.AttributeAsserterwas modified to recognized a VTR request and add the correct values to theAttributeStatementnode in the SAML response.