Join Log in
Score:0
Mikkel avatar Server

AD FS SP forcing custom AuthnRequest

us flag
Mikkel

AD FS Error: Exception details: Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.UnknownAuthenticationTypePolicyException: MSIS3305: None of the AuthenticationContext class references specified in the SAMLP request is supported by the server.

An SP we are working with have changed their saml authentication request. Now it forces a custom authenticationmethod that AD FS does not know.

<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{Custom-Value}</saml:AuthnContextClassRef>

The SP is setup as a relying party trust in the AD FS.

I have tried any and all ways I can find to try and change this with a custom claims rule, but my conclusion is that you can't change the incoming request in that way. Am I correct?

In case you want to see the latest one of many attempts

c:[Type == "urn:oasis:names:tc:SAML:2.0:assertion", Value =~ "^(?i)Custome-Value$"] => issue(Type = "urn:oasis:names:tc:SAML:2.0:assertion", Value = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"(don't care here just want something else for testing));

The current flow(with the error): go to their site -> redirect to ours -> Authenticate -> Samlresponseurn:oasis:names:tc:SAML:2.0:status:NoAuthnContext -> nothing happens on their site.

So my question is, do I really have to implement a whole library/plugin just to "accept" this new saml:AuthnContextClassRef value. And then somehow code it to go about everything normally. Because the authentication part works normally with the user inputting what is required.

Or do I have any other options regarding this? If not, would anyone be able to link me to a more trusty source regarding its development, (https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) from MS is not confidence inducing due to their disclaimer.

The example that you can build here is for educational purposes only. These instructions are for the simplest, most minimal implementation possible to expose the required elements of the model. There is no authentication back end, error processing, or configuration data.

116
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.