Pass Suomi.fi AuthnContextClassRef value to the userinfo endpoint

1 Requirement
2 Steps
- 2.1 To fetch AuthnContextClassRef value in the Authorization policy
- 2.2 To fetch these values in the userinfo endpoint:

Requirement

If you want to fetch Suomi.fi AuthnContextClassRef value in the Authorization policy
If you want to pass the Suomi.fi AuthnContextClassRef value into the userinfo endpoint

Steps

To fetch AuthnContextClassRef value in the Authorization policy

Suomi.fi authentication returns the field AuthnContextClassRef in their Identification response, which describes what authentication method the user chooses during authentication.
Below is an example of the AuthnContextClassRef returned in the identification response.

To fetch only the AuthnContextClassRef value into the SSO Authorization Policy, you need to add the following rule in the Authorization Policy:

${response.authnContextDeclRef}

If you are trying to forward the AuthnContext from inbound SAML2 response (i.e. received by SSO) to outbound SAML2 response (i.e. sent by SSO), this can be passed in the Authorization Policies as follows

${authnContext.authnContextDeclRef(response.authnContextDeclRef).authnContextClassRef(response.authnContextClassRef).authenticatingAuthority(response.authenticatingAuthority)}

This will however return output in the xml format. You can convert it to required format using Function defined in : https://ubisecuredev.atlassian.net/wiki/spaces/IDS20221/pages/8907526195

Below are example on Authorization policy Attribute rules you can use and output you would receive in userinfo endpoint:

Example 1:

AUTHORIZATION POLICY RULE:
${xss:json(authnContext.authnContextDeclRef(response.authnContextDeclRef).authnContextClassRef(response.authnContextClassRef).authenticatingAuthority(response.authenticatingAuthority))}

OUTPUT:
"AuthnContextClassRef": ["\<\?xml\ version\=\\"1.0\\"\ encoding\=\\"UTF\-8\\"\ standalone\=\\"yes\\"\?\>\\n\<authnContext\ xmlns\:ns2\=\\"urn\:oasis\:names\:tc\:SAML\: 2.0\:assertion\\"\>\\n\ \ \ \ \<ns2\:AuthnContextClassRef\>urn\:oid\:1.2.246.517.3002.110.999\<\/ns2\:AuthnContextClassRef\>\\n\<\/authnContext\>\\n"

Example 2:

AUTHORIZATION POLICY RULE:
${xss:html(authnContext.authnContextDeclRef(response.authnContextDeclRef).authnContextClassRef(response.authnContextClassRef).authenticatingAuthority(response.authenticatingAuthority))}

OUTPUT:
${xss:html(authnContext.authnContextDeclRef(response.authnContextDeclRef).authnContextClassRef(response.authnContextClassRef).authenticatingAuthority(response.authenticatingAuthority))}

To fetch these values in the userinfo endpoint:

The Authorization Policy defines which attributes are available to a relying party in the id_token and the userinfo endpoint.

The attributes set in the Authorization policy will be available in the userinfo endpoint as shown in example below.

More details can be found in document: https://ubisecuredev.atlassian.net/wiki/spaces/IDS20213/pages/4452582184