Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Configuring Authentication

Info
titleSection Topics
  • OIDC Authentication Request
  • Authentication flow selection for OIDC authentication request

OIDC Authentication Request

Panel
bgColorlightgray
titleAuthentication Request

http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

http://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
  • Requested Authentication Context Class Reference values are defined by acr_values request parameter and  acr claims request.
    • Request may be essential or non-essential.
  • prompt has options
    • none, The Authorization Server MUST NOT display any authentication or consent user interface pages. Translates to isPassive.
    •  login, The Authorization Server SHOULD prompt the End-User for reauthentication. Translates to forceAuthn.
    •  consent, The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client
    •  select_account, The Authorization Server SHOULD prompt the End-User to select a user account. Not supported by current implementation.
  • max_age, specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP.

Authentication flow selection for OIDC authentication request

Panel
bgColorlightgray
titleOIDC Extension Authentication Configuration
https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/AuthenticationConfiguration

Exercises

Panel
bgColorlightblue
titleExercise 3.1 - ACR value

ACR value

  1. RP does not request for ACR by default. Modify the RP to request for password authentication.

    Code Block
    themeRDark
    nano +418 /etc/httpd/conf.d/auth_openidc.conf
    
    OIDCAuthRequestParams acr_values=password
    
    systemctl restart httpd
    
    


  2. Run authentication sequence and verify from the logs that password authentication is being requested

    Code Block
    themeRDark
    titleHints, Tips and Result
    collapsetrue
    Parameters:
        scope:openid profile email address phone
        acr_values:password
        response_type:code
        state:UeWkLZsv4qfSh5kmzN21TsHqj0E
        redirect_uri:https://195.148.31.24:8443/protected/redirect_uri
        nonce:dC3KenQHX-8R1eSXrkNQajljL0NuxpafDOiAZ-5vHnk
        client_id:test_rp


  3. OP does not seem to respond with ACR claim value - there is no [OIDC_CLAIM_acr] on your landing page.  The authentication method principals are set in /opt/shibboleth-idp/conf/authn/general-authn.xml. See https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/AuthenticationConfiguration on how to add "password" authentication method principal for password flow.

    Code Block
    languagexml
    themeRDark
    titleHints, Tips amd Result
    collapsetrue
    <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true" >
        <property name="supportedPrincipals">
            <list>
              <bean parent="shibboleth.SAML2AuthnContextClassRef"
                  c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
              <bean parent="shibboleth.SAML2AuthnContextClassRef"
                  c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
              <bean parent="shibboleth.SAML1AuthenticationMethod"
                  c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
              <bean parent="shibboleth.OIDCAuthnContextClassReference"
                  c:classRef="password" />
            </list>
          </property>
    </bean>


  4. Run authentication sequence and verify the use of ACR claim.
    1. Verify the ACR  claim value from your landing page.

      Code Block
      themeRDark
      titleHints, Tips and Result
      collapsetrue
      [OIDC_CLAIM_acr] => password


    2. The value is set in action AddAcrToIdToken. Verify from the logs the action has taken place.

      Code Block
      themeRDark
      titleHints, Tips and Result
      collapsetrue
      grep AddAcrToIDToken /opt/shibboleth-idp/logs/idp-process.log
      
      2018-09-10 04:52:49,068 - DEBUG [org.geant.idpextension.oidc.profile.impl.AddAcrToIDToken:58] - Profile Action AddAcrToIDToken: Setting acr to id token
      2018-09-10 04:52:49,079 - DEBUG [org.geant.idpextension.oidc.profile.impl.AddAcrToIDToken:60] - Profile Action AddAcrToIDToken: Updated token {"sub":"VUG4777YP3NMU5KRFESX6SKRAPXLE4MI","aud":["_443085776b9c4370eeb8b7481b99dbe3"],"acr":"password","auth_time":1536555148,"iss":"https:\/\/192.168.0.150","exp":1536558769,"iat":1536555169}


    3. Client receives the ACR claim in ID Token. Locate ID Token from Token Response (field "id_token") in the logs. Decode the ID Token and verify the existence and value of ACR claim. Use for instance https://jwt.io/ to decode the ID Token.

      Code Block
      themeRDark
      titleHints, Tips and Result
      collapsetrue
      grep id_token /opt/shibboleth-idp/logs/idp-process.log 
      
      Content:{"access_token":"AAdzZWNyZXQxV9G7fr...tJ9","id_token":"eyJraWQiOiJ0ZXN0a2V5UlMiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiaW9wTFlpbjNSYmVmUmxJamdjWkNQQSIsInN1YiI6IlZVRzQ3NzdZUDNOTVU1S1JGRVNYNlNLUkFQWExFNE1JIiwiYXVkIjoiXzQ0MzA4NTc3NmI5YzQzNzBlZWI4Yjc0ODFiOTlkYmUzIiwiYWNyIjoicGFzc3dvcmQiLCJhdXRoX3RpbWUiOjE1MzY1NTUxNDgsImlzcyI6Imh0dHBzOlwvXC8xOTIuMTY4LjAuMTUwIiwiZXhwIjoxNTM2NTU4NzY5LCJpYXQiOjE1MzY1NTUxNjksIm5vbmNlIjoiUmZPNjhnSmVHbEoyb0xaOU9XamVCWWJidlNiNVI1U3Mza3ZwM1daSTVOQSJ9.kIF8PKmVVEULbas6gsaiOchO51W_614V6WvXMfIraW2RosTAmSoyFVjCT_RxOp5RRHQVbpHVVb9Q9lQcwE0ZjnyTU4VCP2ZQN7EqLHP8gTLQ_SIhooQ8cB5hP_w-ijd4ZPw2tSSDk44X2mdfOJv0W0TftwxRFkprp8pleYqz1YIMh0DH3lpvU8AbsmZ-K7ehJYegln35rWzz9Ve7tqFTBlAB0Gj4sYGCcR6oAKPrMmo9LiYrpe92viFfAGiRZFthz9Mjd1THZOLWNd62tpJJLgm6RqDDPMolM2NrPahcYvDHakErM9S5Xp0hHoyn6J4ihArDGqWNrgI3y9_6GJu35g","token_type":"Bearer","expires_in":600}
      
      {
       kid: "testkeyRS",
       alg: "RS256"
      }.{
       at_hash: "iopLYin3RbefRlIjgcZCPA",
       sub: "VUG4777YP3NMU5KRFESX6SKRAPXLE4MI",
       aud: "_443085776b9c4370eeb8b7481b99dbe3",
       acr: "password",
       auth_time: 1536555148,
       iss: "https:\/\/192.168.0.150",
       exp: 1536558769,
       iat: 1536555169,
       nonce: "RfO68gJeGlJ2oLZ9OWjeBYbbvSb5R5Ss3kvp3WZI5NA"
      }.[signature]


...