Configure an Authentication Context Template

CA SiteMinder® Federation Standalone Guide › Authentication Context Processing (SAML 2.0) › Configure an Authentication Context Template

Configure an Authentication Context Template

An authentication context template defines the specific SAML 2.0 AuthnContext URIs that a partner supports. Each URI identifies a particular context class. You can select a template on a per-partnership basis; multiple partnerships can use a single template.

In addition to the common function, a template has the following distinct functions at each partner:

At the IdP

You only require a template at the IdP under the following conditions:

The SiteMinder Connector is enabled.
The IdP automatically detects the authentication context from the SP request.

The template maps URIs to the protection levels associated with a user session. The protection levels indicate the strength of the authentication scheme at the policy server, from 1 through 1000, with 1000 being the strongest. An administrator assigns protection levels when configuring an authentication scheme that authenticates a user and establishes a user session.

Note: Protection levels are only available with the SiteMinder Connector.

At the SP

An authentication context template at the SP is required to generate an authentication context that is sent in the authentication request. After the SP generates the request, it sends it to the IdP. The template is also required for the SP to validate that the received assertion satisfies the authentication context requested.

Before proceeding with configuration, verify that you meet the following minimum knowledge requirements:

Familiarity with SAML 2.0 standards related to authentication context processing.
An understanding of federation configuration objects.
Knowledge of how to access and use the Administrative UI.

The following figure shows the configuration process for each partner. CA SiteMinder® Federation does not have to be installed at each site.

Process for configuring authentication context

Complete the following steps to configure authentication context processing:

Determine authentication context and strength levels.
Set up an authentication context template.
Complete the task for your site:
- Enable the authentication context feature at the Local IdP Partnership.
- Enable authentication context requests at the Local SP Partnership.

Determine Authentication Context and Strength Levels with your Partner

The SP can require specific authentication contexts and strength levels before it permits access to a requested resource. Based on the sensitivity of the resources at the SP, the SP has to have confidence in the assertion it receives from the IdP.

The administrators at the IdP and SP have to establish guidelines for supported authentication contexts and the relative strength of each authentication context URI. The order of the URIs at the IdP together with the associated strength levels affects how the IdP responds to the SP.

For example, an SP requests an authentication context for an X.509 certificate and a comparison value of exact. The IdP has to authenticate the requesting user at a suitable strength level and satisfy the comparison value during the evaluation of the authentication context.

Set up an Authentication Context Template

Set up an authentication context template to implement authentication context processing. This procedure is the same for an Identity Provider or Service Provider.

Follow these steps:

Log in to the Administrative UI.
From the Federation tab, select AuthnContext Templates.
The View Authentication Context Templates window opens.
Select Create Template.
The template wizard opens at the first step.
Enter a name for the template.
Complete one of the following actions:
- Manually enter a URI and click Add URI.
- Click Load Default URIs to select URIs from a predefined list. Move URIs from the Available URIs to the Selected URIs list.
Arrange the selected URIs by strength level. The strength level is in descending order, with the strongest URI at the top and the least strong at the bottom.
Click Next.
(Optional) Group URIs that require the same level of strength indenting one URI under the previous URI. Use the Change Grouping arrow to move a URI into or out of a group.
For SiteMinder Connector deployments only:
1. Click Enable Protection Levels.
2. Map the protection levels from an authentication scheme to the URIs. The protection levels indicate the strength of an authentication scheme, ranging between 1 through 1000, with 1000 being the strongest. Individual URIs can have unique protection levels; however, grouping URIs means that they have the same level of strength.
  Consider the following information when assigning protection levels:
  - Assign the protection levels in descending order. List the strongest context at the top and the weakest context at the bottom.
  - You can modify the maximum protection level and the Administrative UI calculates the minimum. The Administrative UI verifies that there is no gap in the range of levels so that each protection level has an associated URI.
Read more about protection level assignments.
Click Next to move to the last step of the wizard.
Select Finish to confirm the configuration.

The template is complete.

Protection Level Assignments for a Context Template

A federation deployment that uses the SiteMinder Connector for delegated authentication requires that you associate protection levels with each authentication URI. The protection level indicates a level of assurance in the strength of the authentication. Each protection level is mapped to a URI strength level. Ensure that the protection level assignments reflect the protection levels of the CA SiteMinder® authentication scheme.

Note: In a deployment with the SiteMinder Connector, the protection level overrides the level specified in the connector authentication scheme.

When you assign protection levels in the Administrative UI, specify a range. Specify the maximum level for each URI in the list. The minimum protection level is automatically calculated based on the maximum level for the subsequent URI in the list. The range has to cover the configured CA SiteMinder® authentication schemes. For example, if CA SiteMinder® configures an X.509 authentication scheme at a protection level of 20, ensure that the range specified for CA SiteMinder® Federation Standalone includes 20.

Protection Level Example

SiteMinder Authentication Scheme	Protection Level
urn:oasis:names:tc:SAML:2.0:ac:classes:X509	20
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract	15
urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol	10
urn:oasis:names:tc:SAML:2.0:ac:classes:Password	5

Each protection level is mapped to a URI strength level. The table shows the original list of URIs:

URI	Protection Level Max	URI Strength
urn:oasis:names:tc:SAML:2.0:ac:classes:X509	1000	4
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract	15	3
urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol	10	2
urn:oasis:names:tc:SAML:2.0:ac:classes:Password	5	1

The ranges cover the protection level of the CA SiteMinder® authentication scheme. For example:

X509 scheme covers protection levels 16-1000
MobileTwoFactorContract covers protection levels 11-15
Internet Protocol covers 6-10
Password covers 1-5

If you group several of the URIs, the grouping enables URIs with different protection levels to have the same URI strength. The following modified table shows the groupings.

URI	Protection Level Max

urn:oasis:names:tc:SAML:2.0:ac:classes:X509	1000	3
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract	800	3
urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol	700	2
urn:oasis:names:tc:SAML:2.0:ac:classes:Password	200	1

The range of strength levels reflects the total number of groups in the list. For example, if there are three groups, the strength level ranges from 1 to the total number groups, which is 3.