You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm looking at supporting REFEDS MFA on our SATOSA OIDC/SAML proxy (OIDC OP frontend, SAML SP backend).
I see there is already some code support AuthnContextClassRef in the SAML frontend ( 2801eb1 ) and backend ( e7f281c ), but it seems to be ignored the the OIDC front-end ( satosa.frontends.openid_connect.OpenIDConnectFrontend ).
I understand it should be requested via a claims request for id_token, as per the examples given at for OIDC binding at https://refeds.org/profile/mfa
When testing this against SATOSA ( 8.4.0 ), this request appeared to be ignored: not only was it not passed through in SAML, but the OP returned a response to the OIDC client with no acr value, despite the acrid_token claim being flagged as essential.
I understand this would require making changes at least to the OIDC frontend plus possibly some clue code via a microservice.
I'm happy to contribute the code - but opening this ticket first as discussion space to coordinate with other work that may already have been done / is being done.
Code Version
8.4.0
Expected Behavior
ACR requests passed through to SP and responses passed back to client.
Current Behavior
ACR values ignored.
Possible Solution
Store requested ACR values in context (OIDC frontend - appears already done for SAML).
Pick them ACR values from context and pass them through ( (OIDC backend - also appears already done for SAML).
Receive ACR values and store them in context ( OIDC + SAML backends )
Pass ACR values back to clients ( OIDC + SAML backends )
Hi,
I'm looking at supporting REFEDS MFA on our SATOSA OIDC/SAML proxy (OIDC OP frontend, SAML SP backend).
I see there is already some code support AuthnContextClassRef in the SAML frontend ( 2801eb1 ) and backend ( e7f281c ), but it seems to be ignored the the OIDC front-end (
satosa.frontends.openid_connect.OpenIDConnectFrontend).I understand it should be requested via a claims request for
id_token, as per the examples given at for OIDC binding at https://refeds.org/profile/mfaWhen testing this against SATOSA ( 8.4.0 ), this request appeared to be ignored: not only was it not passed through in SAML, but the OP returned a response to the OIDC client with no
acrvalue, despite theacrid_tokenclaim being flagged asessential.I understand this would require making changes at least to the OIDC frontend plus possibly some clue code via a microservice.
I'm happy to contribute the code - but opening this ticket first as discussion space to coordinate with other work that may already have been done / is being done.
Code Version
8.4.0
Expected Behavior
ACR requests passed through to SP and responses passed back to client.
Current Behavior
ACR values ignored.
Possible Solution
Steps to Reproduce
claimsparameter requesting REFEDS MFA ACR value:{"id_token":{"acr": {"essential": true, "value": "https://refeds.org/profile/mfa"} } }@c00kiemon5ter , please let me know what the overall position on this is:
Many thanks in advance for getting back to me.
Cheers,
Vlad
The text was updated successfully, but these errors were encountered: