Specify How the IdP Obtains the Authentication Context

Federation Guides › Partnership Federation Guide › Authentication Context Processing (SAML 2.0) › Configure Authentication Context Processing at the IdP › Specify How the IdP Obtains the Authentication Context

Specify How the IdP Obtains the Authentication Context

Configure how to obtain the authentication context.

Follow these steps:

Navigate to the SSO and SLO step in the IdP->SP partnership wizard.
In the Authentication section, specify how to obtain the authentication context.
- For local authentication, you are required to use the predefined authentication class.
- For delegated authentication with the SiteMinder Connector, select the predefined authentication class or automatically detect the class with an authentication context template.
Follow the steps for the method chosen in the previous step:
- To include a predefined class in the assertion, select a URI from the Authentication Class pull-down menu.
- To include a class from the session context and a template, select a template from the authentication Context Template field or click Create Template.
  Note: This option is available only if you enabled the SiteMinder Connector.
(Optional). Depending on how you obtain the authentication context you can also select the Ignore RequestedAuthnContext check box.

The following table shows how the Configure AuthnContext and the Ignore RequestedAuthnContext settings work together:

Configure AuthnContext	Ignore RequestedAuthnContext	SP requests AuthnContext	Result
Predefined Class	Selected	Yes	IdP ignores the <RequestedAuthnContext> and uses the defined value in the assertion.
Predefined Class	Selected	No	IdP returns the defined value in the assertion by default.
Predefined Class	Not selected	Yes	Transaction fails because the IdP is not configured to handle the authentication context request. The IdP returns an error message to the SP.
Predefined Class	Not selected	No	IdP returns the defined class value in the assertion by default.
Automatically Detect Class	Selected	Yes	IdP compares the protection level for the authentication scheme against the authentication context template and returns the matching authentication URI in the assertion. The IdP ignores the values in the SP request.
Automatically Detect Class	Selected	No	IdP compares the protection level for the authentication scheme against the authentication context template and returns the matching authentication URI in the assertion. The IdP ignores the values in the SP request.
Automatically Detect Class	Not selected	Yes	IdP compares the protection level against the authentication context class that the SP sends. The IdP uses the authentication context template to determine the authentication URI it places in the assertion.
Automatically Detect Class	Not selected	No	IdP compares the protection level for the authentication scheme against the authentication context template and returns the matching authentication URI in the assertion.