From 865dd55f04e6bb6c1fc1a7d3f4d17d62cc864243 Mon Sep 17 00:00:00 2001 From: Luca Leonardo Scorcia Date: Tue, 25 Aug 2020 04:10:15 +0200 Subject: [PATCH] KEYCLOAK-14961 SAML Client: Add ability to request specific AuthnContexts to remote IdPs --- server_admin/topics/identity-broker/saml.adoc | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/server_admin/topics/identity-broker/saml.adoc b/server_admin/topics/identity-broker/saml.adoc index da3050af24..611cbe6ac7 100644 --- a/server_admin/topics/identity-broker/saml.adoc +++ b/server_admin/topics/identity-broker/saml.adoc @@ -77,6 +77,26 @@ This link is an XML document describing metadata about the IDP. You can also import all this configuration data by providing a URL or XML file that points to the entity descriptor of the external SAML IDP you want to connect to. +[[_identity_broker_saml_requested_authncontext]] +==== Requesting specific AuthnContexts +Some Identity Providers let the clients specify particular constraints on the authentication method used to verify the user identity (e.g. asking for MFA, Kerberos authentication, security requirements, etc.). These are specified using particular AuthnContext criteria. A client can ask for one or more criteria and also specify how the Identity Provider should match the requested AuthnContext - exactly, or by satisfying same-or-better equivalents. + +You can list the criteria your Service Provider requires by adding one or more ClassRef or DeclRef in the Requested AuthnContext Constraints section. Usually you will need to provide either ClassRefs or DeclRefs - you should check with your Identity Provider docs which values are supported. If no ClassRefs or DeclRefs are present, the Identity Provider will not enforce additional constraints. + +.Requested AuthnContext Constraints +|=== +|Configuration|Description + +|Comparison +|The comparison method the Identity Provider should use to evaluate the context requirements. Available values are `Exact`, `Minimum`, `Maximum` or `Better`. Default value is `Exact`. + +|AuthnContext ClassRefs +|One or more AuthnContext ClassRefs that describe the required criteria. + +|AuthnContext DeclRefs +|One or more AuthnContext DeclRefs that describe the required criteria. +|=== + [[_identity_broker_saml_sp_descriptor]] ==== SP Descriptor