Skip to content

Support REFEDS MFA profile / passing through AuthnContextClassRef #470

New issue
New issue
Open
Open
Support REFEDS MFA profile / passing through AuthnContextClassRef#470
@vladimir-mencl-eresearch

Description

@vladimir-mencl-eresearch
vladimir-mencl-eresearch
opened on Aug 4, 2024

Hi,

I'm looking at supporting REFEDS MFA on our SATOSA OIDC/SAML proxy (OIDC OP frontend, SAML SP backend).

I see there is already some code support AuthnContextClassRef in the SAML frontend ( 2801eb1 ) and backend ( e7f281c ), but it seems to be ignored the the OIDC front-end ( satosa.frontends.openid_connect.OpenIDConnectFrontend ).

I understand it should be requested via a claims request for id_token, as per the examples given at for OIDC binding at https://refeds.org/profile/mfa

When testing this against SATOSA ( 8.4.0 ), this request appeared to be ignored: not only was it not passed through in SAML, but the OP returned a response to the OIDC client with no acr value, despite the acr id_token claim being flagged as essential.

I understand this would require making changes at least to the OIDC frontend plus possibly some clue code via a microservice.

I'm happy to contribute the code - but opening this ticket first as discussion space to coordinate with other work that may already have been done / is being done.

Code Version

8.4.0

Expected Behavior

ACR requests passed through to SP and responses passed back to client.

Current Behavior

ACR values ignored.

Possible Solution

  • Store requested ACR values in context (OIDC frontend - appears already done for SAML).
  • Pick them ACR values from context and pass them through ( (OIDC backend - also appears already done for SAML).
  • Receive ACR values and store them in context ( OIDC + SAML backends )
  • Pass ACR values back to clients ( OIDC + SAML backends )

Steps to Reproduce

  1. Setup SATOSA with OIDC front-end and SAML backend
  2. Send client request with claims parameter requesting REFEDS MFA ACR value: {"id_token":{"acr": {"essential": true, "value": "https://refeds.org/profile/mfa"} } }
  3. Requested ACR is not passed to SAML IdP
  4. OIDC front-end returns to client with no ACR value

@c00kiemon5ter , please let me know what the overall position on this is:

  1. Has anyone already started looking into this?
  2. If not, does it sound to you as worth having in SATOSA ?
  3. Does the above rough plan point in the right direction?
    Many thanks in advance for getting back to me.

Cheers,
Vlad

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions