Federation Guides › Partnership Federation Guide › Authentication Context Processing (SAML 2.0) › Enable Authentication Context Requests at the Local SP Partnership

Enable Authentication Context Requests at the Local SP Partnership

The authentication context is part of an assertion authentication statement and it indicates how a user authenticated at an IdP. An SP can require information about the authentication process to establish a level of confidence in the assertion before granting access to resources.

Authentication Context URIs are the value of the <AuthnContextClassRef> element inside of a <AuthnContext> element. Each URI identifies the context class that the SP wants the IdP to return in the assertion.

The authentication context template at the SP defines the following information:

• Which URIs the SP wants to receive from the IdP. For outgoing requests, the URIs in the template indicate which authentication contexts are acceptable to the SP before it allows access to the requested resource.
• How the URIs in the request are compared to the URIs defined at the IdP.
• How the SP uses the URIs. The SP can include URIs in the outgoing authentication request. The SP can also validate URIs in the incoming assertion response. You can configure the URI usage for both functions.

You can select a template on a per-partnership basis and multiple partnerships can use a single template.

Configure an authentication context template before you enable authentication context requests or while you are configuring the SP partnership.

Follow these steps:

1. Log in to the Administrative UI.
2. Select the SP->IdP partnership you want to edit.
3. Navigate to the Configure AuthnContext step in the partnership wizard.

   The configuration dialog opens.

4. Select the Enable Authentication Context Processing check box.
5. Complete the fields in the dialog. Click Help for a description of fields, controls, and their respective requirements.

   Note the following information:

   • If no authentication context template exists, select Create template.
   • The Comparison field describes how the URIs in the SP authentication request are compared with the URIs configured at the Identity Provider.

     The Help details each comparison operator.

   • If you are selecting URIs from the Available URIs list, the available URIs reflect the URIs configured for the chosen template. If there are no predefined templates, click Create Template to configure one.

The authentication context request is included in the authentication requests sent to the Identity Provider.