How to configure AuthnContext for SAML Response in Azure AD

test 1 Reputation point
2020-04-30T08:38:12.48+00:00

How to configure AuthContext for SAML Response in Azure AD<samlp:Response
Destination="https://iam-client-test.us-east.philips-healthsuite.com/authorize/saml2/Consumer/metaAlias/sp-src-sts"
ID="_551f33a7-0948-4d5f-8d94-8f1a6429b6a6" InResponseTo="s26391981fd28232f9e4355773a49f3d1f9dd4673b"
IssueInstant="2020-04-30T06:17:47.297Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/bf70d2cc-3261-4051-8a37-376cb59280e1/</Issuer>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<Assertion ID="_c3de3e6b-a4fe-4eba-b7bf-824ef604ec00" IssueInstant="2020-04-30T06:17:47.297Z"
Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://sts.windows.net/bf70d2cc-3261-4051-8a37-376cb59280e1/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_c3de3e6b-a4fe-4eba-b7bf-824ef604ec00">
<Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>AE98Z9l1LAw3HmxABYmPF368aIAKhuNI4Au+pO2ONhE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>CLuYTa33mvmMbDIdc2O5K74mKk0SGmzNOKzRTIaonRkhqBuB4cjP0FAOHBX3DBGdR1b+S/HQcV5Hi3VI9KYXaLCQ4VmgLK5qFBC/MNUwtwx5pqxFD2V5xvUHTjnt/EWHMqm2Byg3HFoudy9T+ZY+w0Y85XQYRm7BNhFNeWlj2o1+luDicfcCHPSbmdwp1u/OaU3r8dzTiQi3yT5Ix80ejhZTKr2GBcmdZzifvwN6OutaKFxNbh1bzEp/Bu1RTkYuxJ5G5EmQpCmwkks8ms5CcTptf0fA4HxmUWjoGkRGdy+Nsa97TjAVAq2hQ6PAzlZ4g7sYCXXz17ETAPHaYSA+6Q==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC8DCCAdigAwIBAgIQU/NtUWyxnLVDrtUaAoMYwDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMDA0MDEwNzEzNTJaFw0yMzA0MDEwNzEzNTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtyqne3kGevrHNjW17NNtIkekiraNEd3281sj9g1zt40KF9+r6J4FcPW63JeYib2IMoef0KeD7BJhXmzs7/zjopsncgLPrjpoTGPaQesxvSbayfYitr42wuqWWT0cvR0lRcHXuirl/34fGtv65UQxkS6wOEvAy5WSQoeSq/MT1uQtJuUIk1fuOdQzsrAZ5Ij7sceurUW+Q8c8+byKMVpIfnvulywMQCBR0Y9zPb7n7tkwFJPa4cAm+EiD5KUXZD4S+ac+MI7jBxCz0vMguqZ1VRWqvDXse8BxGBZvWkCAcUsKtuHzCdE1mDgN6CvORKz/pvPT0iZuWYvhqFltM9ULXQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCT/wOq507Kc2hifoX0mOE026TRtB9mgDHgNTb6f/YN6htMNpfjzQ1TmF1KTkMmT/L1saBntgW0AheliE4b9K5lzHe2ZM/Piq3GLCo1gdu3SqvuHJbj/VfIrMQA+mn/j2Sy/CBnD3VS3VfChye39k7RabXNtm62z5IH9dFJOZrGQbf/1afZwN8QKq/IcVx4XFKGVJyujg/C07Bk3xLrzzwxwDwIbEU280hkDLLcLh+G/uAEEHLePTrzjBJnSeeAHat/5mBBMAafHEQTipkKFWiP+3jtHltP8iTVREukiLzQYEl6IYdIjlBebpfYMcEm4zSvIpcdBAFsN5GoM8GmkQsd</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="sp-src-sts">N8kHZrWb-2tpYeslSb3M_HraTCZeAK-xZdoolFKUIbs</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="s26391981fd28232f9e4355773a49f3d1f9dd4673b"
NotOnOrAfter="2020-04-30T07:17:47.126Z"
Recipient="https://iam-client-test.us-east.philips-healthsuite.com/authorize/saml2/Consumer/metaAlias/sp-src-sts"/></SubjectConfirmation>
</Subject>
<Conditions NotBefore="2020-04-30T06:12:47.126Z" NotOnOrAfter="2020-04-30T07:17:47.126Z">
<AudienceRestriction>
<Audience>sp-src-sts</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>bf70d2cc-3261-4051-8a37-376cb59280e1</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>33641d6a-24f8-4421-be51-82433a15f934</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>test</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/bf70d2cc-3261-4051-8a37-376cb59280e1/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>test</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>test</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>test@srcco.onmicrosoft.com</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2020-04-06T07:02:17.820Z"
SessionIndex="_c3de3e6b-a4fe-4eba-b7bf-824ef604ec00">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,440 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Saurabh Sharma 23,806 Reputation points Microsoft Employee
    2020-05-05T18:08:38.263+00:00

    You need to use RequestedAuthnContext element to specify the desired authentication methods and you need to add AuthnContextClassRef values such as urn:oasis:names:tc:SAML:2.0:ac:classes:Password.

    So, your SAML authentication request would look like below:

    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7171b0b2-19f2-4ba2-8f94-24b5e56b7f1e" IssueInstant="2014-01-30T16:18:35Z" Version="2.0" AssertionConsumerServiceIndex="0" >  
          <saml:Issuer>urn:federation:MicrosoftOnline</saml:Issuer>  
           <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>  
            <samlp:RequestedAuthnContext Comparison="exact">  
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>  
            </samlp:RequestedAuthnContext>  
    </samlp:AuthnRequest>  
    

    Please refer to the documentations -


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.