Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-17788

Support setting AuthnContextClassRef in SAML response to SP

    XMLWordPrintable

Details

    • Enhancement
    • Status: Triage
    • Minor
    • Resolution: Unresolved
    • 12.0.4
    • None
    • SAML
    • NEW
    • NEW

    Description

      Gitlab supports the

      AuthnContextClassRef

      inside an

      AuthnContext

      to forward whether or not MFA was used for logging in:

      https://docs.gitlab.com/ee/integration/saml.html#bypass-two-factor-authentication

      <saml:AuthnStatement>
          <saml:AuthnContext>
              <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:MediumStrongCertificateProtectedTransport</saml:AuthnContextClassRef>
          </saml:AuthnContext>
      </saml:AuthnStatement>
      

      Since we require MFA (TOTP or WebAuthN) it would be nice if we could pass this context along so that Gitlab does not ask for MFA for users that are logging in using SSO.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              bert.regeer@sapns2.com Bert Regeer (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: