Single Sign-On Service › SSO Partnership Federation Guide › Authentication Context Processing › Authentication Context Processing (SAML 2.0) › Configure Authentication Context Requests at the SP

Configure Authentication Context Requests at the SP

The authentication context is part of an assertion authentication statement and it indicates how a user authenticated at an IdP. An SP can require information about the authentication process to establish a level of confidence in the assertion before granting access to resources.

Authentication Context URIs are the value of the <AuthnContextClassRef> element inside of a <AuthnContext> element. Each URI identifies the context class that the SP wants the IdP to return in the assertion.

The authentication context template at the SP defines the following information:

• Which URIs the SP wants to receive from the IdP. For outgoing requests, the URIs in the template indicate which authentication contexts are acceptable to the SP before it allows access to the requested resource.
• How the URIs in the request are compared to the URIs defined at the IdP.
• How the SP uses the URIs. The SP can include URIs in the outgoing authentication request. The SP can also validate URIs in the incoming assertion response. You can configure the URI usage for both functions.

You can select a template on a per-partnership basis and multiple partnerships can use a single template.

Create an authentication context template before you enable authentication context requests or while you are configuring the SP partnership.

Enable Authentication Context Requests at the SP

An SP can request that an IdP return the authentication context in an assertion. Enable that request at the SP->IdP partnership.

Before you begin, we recommend that you create an authentication context template.

Follow these steps:

1. Log in to the CSP console.
2. Select Federation, Partnership Federation, Partnerships.
3. Select the SP->IdP partnership you want to edit.
4. Navigate to the Configure AuthnContext step in the partnership wizard.

   The configuration dialog opens.

5. Select the Enable Authentication Context Processing check box.
6. Complete the fields in the dialog.

   Note: Click Help for a description of fields, controls, and their respective requirements.

   Note the following information:

   • If no authentication context template exists, select Create template.
   • The Comparison field describes how the URIs in the SP authentication request are compared with the URIs configured at the Identity Provider.

     The Help details each comparison operator.

   • If you are selecting URIs from the Available URIs list, the available URIs reflect the URIs configured for the chosen template. If there are no predefined templates, click Create Template to configure one.

The authentication context request is included in the authentication requests sent to the Identity Provider.