By default, the MPASSid authentication discovery page allows the user to search and choose an authentication source from all the supported authentication methods/sources.

If you for some reason want to skip this part of the authentication, for example to provide your own discovery service page, or direct the user to a specific authentication source, you can do so by setting specific parameters to your applications SAML or OpenID Connect authentication requests.

Authentication sources

API

MPASSid provides a list of all the current authentication sources, which is accessible from the API endpoint by using a GET-request.

The authentication source ids provided by the APIs can be referred with the following prefixes:

  • urn:mpass.id:authnsource: for authentication sources (for instance urn:mpass.id:authnsource:ShibLdap)

The request (GET) parameters

  • lang (optional): two-letter language code, defaults to FI.
    • Currently supported codes: FI (Finnish) and SV (Swedish).

The response

  • id: the unique identifier for this authentication source
  • title: the human-readable title for this authentication source
  • tags: the list of authentication tag ids related to this authentication source
  • iconUrl: an url for the icon describing this authentication source
  • directRegistryConnection (boolean): flag for this source being directly connected to a user registry
  • supportsForced (boolean): flag for supporting forced authentication
  • supportsPassive (boolean): flag for supporting passive authentication

Example

> GET /idp/profile/api/authnsources HTTP/1.1
> Host: mpass-proxy.csc.fi
>
< HTTP/1.1 200 OK
< Date: Wed, 07 Feb 2018 12:53:51 GMT
< Server: Jetty(9.4.0.v20161208)
< Cache-Control: no-cache, no-store
< Pragma: no-cache
< Content-Type: application/json; charset=UTF-8
< Set-Cookie: JSESSIONID=node0orwc2vbh6eb7yt76o4e7q2pt37480.node0;Path=/idp;Secure
< Transfer-Encoding: chunked
<
{
    "lang":"FI",
    "response": [
        {
            "tags":["PrimarySchools"],
            "iconUrl":"https://example.org/icon1.jpg",
            "directRegistryConnection":true,
            "supportsForced":true,
            "supportsPassive":true,
            "id":"MunOne",
            "title":"Ankkalinna"
        },
        ...
    ]
}

SAML authentication request

The desired authentication source can be referred to in the SAML authentication request via RequestedAuthnContext -element, as defined in 3.4.1 in SAML 2.0 core. Comparison attribute exact (default) is currently supported.

Example

The following authentication request message requests MPASSid to redirect the user to "ShibLdap" -authentication source:

Remember to use the prefix from earlier!

  • urn:mpass.id:authnsource:ShibLdap

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    AssertionConsumerServiceURL="https://mpass-proxy-test.csc.fi/attributetest/Shibboleth.sso/SAML2/POST"
                    Destination="https://mpass-proxy-test.csc.fi/idp/profile/SAML2/Redirect/SSO"
                    ID="_d38e6f593bda8afa743782a3ecf40edf"
                    IssueInstant="2018-02-07T13:24:20Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    Version="2.0"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://mpass-proxy-test.csc.fi/attributetest/shibboleth</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="1" />
    <samlp:RequestedAuthnContext>
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:mpass.id:authnsource:ShibLdap</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

OpenID Connect

When using OpenID Connect you can set the acr_values parameter to include the preferred authentication method string.

Refer to your OpenID client documentation on how to achieve this.


  • No labels