Enable the Authentication Context Feature at the Local IdP Partnership

CA SiteMinder® Federation Standalone Guide › Authentication Context Processing (SAML 2.0) › Enable the Authentication Context Feature at the Local IdP Partnership

Enable the Authentication Context Feature at the Local IdP Partnership

The CA SiteMinder® Federation Standalone IdP can obtain the authentication context for an assertion in two ways:

Use a predefined authentication class
Specify a URI for the authentication class and ignore the context request from the SP. A hard-coded entry can act as the default authentication context for IdP-initiated single sign-on.
Detect the authentication class automatically—only available with the SiteMinder Connector enabled.
The system automatically detects the authentication context using the authentication context template.

The IdP uses the template even if the authentication request from the SP does not include the <RequestedAuthnContext> element. The presence of the element triggers extra evaluation by the IdP and constrains the choices of what the IdP puts in the assertion.

You can find more information about the flow of authentication context processing.

Configure how to obtain the authentication context.

Follow these steps:

Navigate to the SSO and SLO step in the IdP->SP partnership wizard.
In the Authentication section, specify how to obtain the authentication context.
- For local authentication, you are required to use the predefined authentication class.
- For delegated authentication with the SiteMinder Connector, select the predefined authentication class or automatically detect the class with an authentication context template.
Follow the steps for the method chosen in the previous step:
- To include a predefined class in the assertion, select a URI from the Authentication Class pull-down menu.
- To include a class from the session context and a template, select a template from the authentication Context Template field or click Create Template.
  Note: This option is available only if you enabled the SiteMinder Connector.
(Optional). Depending on how you obtain the authentication context you can also select the Ignore RequestedAuthnContext check box.

The following table shows how the Configure AuthnContext and the Ignore RequestedAuthnContext settings work together:

Configure AuthnContext	Ignore RequestedAuthnContext	SP requests AuthnContext	Result
Predefined Class	Selected	Yes	IdP ignores the <RequestedAuthnContext> and uses the defined value in the assertion.
Predefined Class	Selected	No	IdP returns the defined value in the assertion by default.
Predefined Class	Not selected	Yes	Transaction fails because the IdP is not configured to handle the authentication context request. The IdP returns an error message to the SP.
Predefined Class	Not selected	No	IdP returns the defined class value in the assertion by default.
Automatically Detect Class	Selected	Yes	IdP compares the protection level for the authentication scheme against the authentication context template and returns the matching authentication URI in the assertion. The IdP ignores the values in the SP request.
Automatically Detect Class	Selected	No	IdP compares the protection level for the authentication scheme against the authentication context template and returns the matching authentication URI in the assertion. The IdP ignores the values in the SP request.
Automatically Detect Class	Not selected	Yes	IdP compares the protection level against the authentication context class that the SP sends. The IdP uses the authentication context template to determine the authentication URI it places in the assertion.
Automatically Detect Class	Not selected	No	IdP compares the protection level for the authentication scheme against the authentication context template and returns the matching authentication URI in the assertion.