Page History

ACR value

1. RP does not request for ACR by default. Modify the RP to request for password authentication.

   Code Block
   theme RDark
   nano +418 /etc/httpd/conf.d/auth_openidc.conf OIDCAuthRequestParams acr_values=password systemctl restart httpd

   
   

2. Run authentication sequence and verify from the logs that password authentication is being requested

   Code Block
   theme RDark title Hints, Tips and Result collapse true
   Parameters: scope:openid profile email address phone acr_values:password response_type:code state:UeWkLZsv4qfSh5kmzN21TsHqj0E redirect_uri:https://195.148.31.24:8443/protected/redirect_uri nonce:dC3KenQHX-8R1eSXrkNQajljL0NuxpafDOiAZ-5vHnk client_id:test_rp

   
   

3. OP does not seem to respond with ACR claim value - there is no [OIDC_CLAIM_acr] on your landing page.  The authentication method principals are set in /opt/shibboleth-idp/conf/authn/general-authn.xml. See https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/AuthenticationConfiguration on how to add "password" authentication method principal for password flow.

   Code Block
   language xml theme RDark title Hints, Tips amd Result collapse true
   <bean id="authn/Password" parent="shibboleth.AuthenticationFlow" p:passiveAuthenticationSupported="true" p:forcedAuthenticationSupported="true" > <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> <bean parent="shibboleth.OIDCAuthnContextClassReference" c:classRef="password" /> </list> </property> </bean>

   
   

4. Run authentication sequence and verify the use of ACR claim.
   

   1. Verify the ACR  claim value from your landing page.

      Code Block
      theme RDark title Hints, Tips and Result collapse true
      [OIDC_CLAIM_acr] => password

      
      

   2. The value is set in action AddAcrToIdToken. Verify from the logs the action has taken place.

      Code Block
      theme RDark title Hints, Tips and Result collapse true
      grep AddAcrToIDToken /opt/shibboleth-idp/logs/idp-process.log 2018-09-10 04:52:49,068 - DEBUG [org.geant.idpextension.oidc.profile.impl.AddAcrToIDToken:58] - Profile Action AddAcrToIDToken: Setting acr to id token 2018-09-10 04:52:49,079 - DEBUG [org.geant.idpextension.oidc.profile.impl.AddAcrToIDToken:60] - Profile Action AddAcrToIDToken: Updated token {"sub":"VUG4777YP3NMU5KRFESX6SKRAPXLE4MI","aud":["_443085776b9c4370eeb8b7481b99dbe3"],"acr":"password","auth_time":1536555148,"iss":"https:\/\/192.168.0.150","exp":1536558769,"iat":1536555169}

      
      

   3. Client receives the ACR claim in ID Token. Locate ID Token from Token Response (field "id_token") in the logs. Decode the ID Token and verify the existence and value of ACR claim. Use for instance https://jwt.io/ to decode the ID Token.

      Code Block
      theme RDark title Hints, Tips and Result collapse true
      grep id_token /opt/shibboleth-idp/logs/idp-process.log Content:{"access_token":"AAdzZWNyZXQxV9G7fr...tJ9","id_token":"eyJraWQiOiJ0ZXN0a2V5UlMiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiaW9wTFlpbjNSYmVmUmxJamdjWkNQQSIsInN1YiI6IlZVRzQ3NzdZUDNOTVU1S1JGRVNYNlNLUkFQWExFNE1JIiwiYXVkIjoiXzQ0MzA4NTc3NmI5YzQzNzBlZWI4Yjc0ODFiOTlkYmUzIiwiYWNyIjoicGFzc3dvcmQiLCJhdXRoX3RpbWUiOjE1MzY1NTUxNDgsImlzcyI6Imh0dHBzOlwvXC8xOTIuMTY4LjAuMTUwIiwiZXhwIjoxNTM2NTU4NzY5LCJpYXQiOjE1MzY1NTUxNjksIm5vbmNlIjoiUmZPNjhnSmVHbEoyb0xaOU9XamVCWWJidlNiNVI1U3Mza3ZwM1daSTVOQSJ9.kIF8PKmVVEULbas6gsaiOchO51W_614V6WvXMfIraW2RosTAmSoyFVjCT_RxOp5RRHQVbpHVVb9Q9lQcwE0ZjnyTU4VCP2ZQN7EqLHP8gTLQ_SIhooQ8cB5hP_w-ijd4ZPw2tSSDk44X2mdfOJv0W0TftwxRFkprp8pleYqz1YIMh0DH3lpvU8AbsmZ-K7ehJYegln35rWzz9Ve7tqFTBlAB0Gj4sYGCcR6oAKPrMmo9LiYrpe92viFfAGiRZFthz9Mjd1THZOLWNd62tpJJLgm6RqDDPMolM2NrPahcYvDHakErM9S5Xp0hHoyn6J4ihArDGqWNrgI3y9_6GJu35g","token_type":"Bearer","expires_in":600} { kid: "testkeyRS", alg: "RS256" }.{ at_hash: "iopLYin3RbefRlIjgcZCPA", sub: "VUG4777YP3NMU5KRFESX6SKRAPXLE4MI", aud: "_443085776b9c4370eeb8b7481b99dbe3", acr: "password", auth_time: 1536555148, iss: "https:\/\/192.168.0.150", exp: 1536558769, iat: 1536555169, nonce: "RfO68gJeGlJ2oLZ9OWjeBYbbvSb5R5Ss3kvp3WZI5NA" }.[signature]