MellonAuthnContextClassRef for implementing REFEDS MFA profile

Question

MellonAuthnContextClassRef for implementing REFEDS MFA profile

lonoak opened this issue 6 years ago · 2 comments

Not quite sure if my problem is related to #183, so I'll just fill in a new issue (I'm not seeing the lasso error mentioned in that issue, and my problem sounds to me different).

I'm trying to implement a service provider with the REFEDS MFA profile in place; that is, requesting to send with the request an AuthnContextClassRef element with value https://refeds.org/profile/mfa.

I guess the directive to be configured might be:

MellonAuthnContextClassRef "https://refeds.org/profile/mfa"

...but I'm not seeing this AuthnContextClassRef being sent with the request. Also tried with the sample values, but can't see this being sent with the authn request.

Am I doing anything wrong?

My setup is on CentOS 7 with mod_auth_mellon package mod_auth_mellon-0.13.1-3.el7_5.x86_64.

Thanks in advance.

Answer 1 · 2018-11-05T09:59:05.000Z

Hi,

I did a quick test here, and setting that option does cause the <saml:AuthnContextClassRef>-element to be inserted into the authentication request for me:

<samlp:RequestedAuthnContext>
  <saml:AuthnContextClassRef>https://refeds.org/profile/mfa</saml:AuthnContextClassRef> 
</samlp:RequestedAuthnContext>

Did you remember to restart Apache after updating the configuration? Also, please verify that the option is set on the root of the site and not just for some locations.

Answer 2 · 2018-11-05T10:07:16.000Z

Hi Olav,

You are right. It was not set on the root of the site, but on the location of the SP.

Thanks!