Configure SAML2 AuthnContextClassRef in authncontext.strength file


It is possible to configure your own classes for authentication methods and order these methods to enable comparisons when requesting authentication methods using the SAML2 Authentication Request.

Relative strength comparion information is defined in the authncontext.strength file

Windows: C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\methods\authncontext.strength

Linux: /usr/local/ubisecure/ubilogin-sso/ubilogin/methods/authncontext.strength

See also Use SAML2 AuthnContextClassRef in IDP Proxy situations

Default configuration

Default configuration of authncontext.strength
#
# authncontext.strength
#
# SAML standard AuthnContext Class values
#
# urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony
# urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol
# urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
# urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
# urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract
# urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered
# urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract
# urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered
# urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony
# urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalizedTelephony
# urn:oasis:names:tc:SAML:2.0:ac:classes:PGP
# urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
# urn:oasis:names:tc:SAML:2.0:ac:classes:Password
# urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
# urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
# urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
# urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI
# urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI
# urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword
# urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
# urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony
# urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
# urn:oasis:names:tc:SAML:2.0:ac:classes:X509
# urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig
# urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

#
# Any non-absolute URI values are expanded into Ubilogin Server
# AuthnContextDeclRef values
#
# Example:
#
# With an Entity ID value of "https://localhost/uas"
# "password.1" is expanded into the following AuthnContextDeclRef 
# "https://localhost/uas/saml2/names/ac/password.1"
#

100     urn:oasis:names:tc:SAML:2.0:ac:classes:Password
100     password.1



Sample configuration

Default configuration of authncontext.strength
#
# authncontext.strength
#
# SAML standard AuthnContext Class values
#
# The following examples shows smartcard login is strongest, Azure AD next, social networks a little lower, 
# followed by username and password and finally login using a phone number that has not previously been registered.
#
# Any non-absolute URI values are expanded into Ubilogin Server
# AuthnContextDeclRef values
#
# Example:
#
# With an Entity ID value of "https://localhost/uas"
# "password.1" is expanded into the following AuthnContextDeclRef 
# "https://localhost/uas/saml2/names/ac/password.1"
#

500		urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
300		oauth.azuread.1
200		oauth.google.1
200		oauth.facebook.1
200		oauth.linkedin.1
100     urn:oasis:names:tc:SAML:2.0:ac:classes:Password
100     password.1
50		urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered