具有多个 AuthnContextClassRef 和指示每个状态的响应的 SAML 请求
SAML Request with multiple AuthnContextClassRef and Response that indicates status of each
考虑到我有一个 n 因素身份验证:
saml:AuthnContextClassRef
urn:oasis:names:tc:SAML:2.0:ac:classes:Password ...
saml:AuthnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:TimesyncToken
如何在响应中指出每个的结果?
我需要为每个断言吗?我不想依赖单个 StatusCode 来指示最终结果。
⚠️ Warning: this answer is wrong despite being the accepted answer
As noted in the comments, a Response can only have one
AuthnContextClassRef element.
One would
have to include a AuthnContextDecl nested element with a value(s)
that is agreed between SP and IDP. Thanks @Patrick
您可以在 SAML 响应中包含多个 AuthnContextClassRef 元素作为 Assertion 中 AuthnStatement 的一部分,例如:
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</AuthnContextClassRef>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:TimesyncToken
</AuthnContextClassRef>
</AuthnContext>
那些代表“上下文”wrt。身份验证事件。如果某些因素是可选的,您将只包括成功的因素,而忽略不成功或未触发的因素。
StatusCode实际上是独立的,表示整体认证success/failure。
考虑到我有一个 n 因素身份验证:
saml:AuthnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:Password ... saml:AuthnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:TimesyncToken
如何在响应中指出每个的结果? 我需要为每个断言吗?我不想依赖单个 StatusCode 来指示最终结果。
⚠️ Warning: this answer is wrong despite being the accepted answer
As noted in the comments, a Response can only have one AuthnContextClassRef element.
One would have to include aAuthnContextDeclnested element with a value(s) that is agreed between SP and IDP. Thanks @Patrick
您可以在 SAML 响应中包含多个 AuthnContextClassRef 元素作为 Assertion 中 AuthnStatement 的一部分,例如:
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</AuthnContextClassRef>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:TimesyncToken
</AuthnContextClassRef>
</AuthnContext>
那些代表“上下文”wrt。身份验证事件。如果某些因素是可选的,您将只包括成功的因素,而忽略不成功或未触发的因素。
StatusCode实际上是独立的,表示整体认证success/failure。