Pass Suomi.fi AuthnContextClassRef value to the userinfo endpoint
Requirement
If you want to fetch Suomi.fi AuthnContextClassRef value in the Authorization policy
If you want to pass the Suomi.fi AuthnContextClassRef value into the userinfo endpoint
Steps
To fetch AuthnContextClassRef value in the Authorization policy
Suomi.fi authentication returns the field AuthnContextClassRef in their Identification response, which describes what authentication method the user chooses during authentication.
Below is an example of the AuthnContextClassRef returned in the identification response.
To fetch only the AuthnContextClassRef value into the SSO Authorization Policy, you need to add the following rule in the Authorization Policy:
${response.authnContextDeclRef}
If you are trying to forward the AuthnContext from inbound SAML2 response (i.e. received by SSO) to outbound SAML2 response (i.e. sent by SSO), this can be passed in the Authorization Policies as follows
${authnContext.authnContextDeclRef(response.authnContextDeclRef).authnContextClassRef(response.authnContextClassRef).authenticatingAuthority(response.authenticatingAuthority)}
This will however return output in the xml format. You can convert it to required format using Function defined in : https://ubisecuredev.atlassian.net/wiki/spaces/IDS20221/pages/8907526195
Below are example on Authorization policy Attribute rules you can use and output you would receive in userinfo endpoint:
Example 1:
AUTHORIZATION POLICY RULE:
${xss:json(authnContext.authnContextDeclRef(response.authnContextDeclRef).authnContextClassRef(response.authnContextClassRef).authenticatingAuthority(response.authenticatingAuthority))}
OUTPUT:
"AuthnContextClassRef": ["\<\?xml\ version\=\\"1.0\\"\ encoding\=\\"UTF\-8\\"\ standalone\=\\"yes\\"\?\>\\n\<authnContext\ xmlns\:ns2\=\\"urn\:oasis\:names\:tc\:SAML\: 2.0\:assertion\\"\>\\n\ \ \ \ \<ns2\:AuthnContextClassRef\>urn\:oid\:1.2.246.517.3002.110.999\<\/ns2\:AuthnContextClassRef\>\\n\<\/authnContext\>\\n"
Example 2:
AUTHORIZATION POLICY RULE:
${xss:html(authnContext.authnContextDeclRef(response.authnContextDeclRef).authnContextClassRef(response.authnContextClassRef).authenticatingAuthority(response.authenticatingAuthority))}
OUTPUT:
${xss:html(authnContext.authnContextDeclRef(response.authnContextDeclRef).authnContextClassRef(response.authnContextClassRef).authenticatingAuthority(response.authenticatingAuthority))}
To fetch these values in the userinfo endpoint:
The Authorization Policy defines which attributes are available to a relying party in the id_token and the userinfo endpoint.
The attributes set in the Authorization policy will be available in the userinfo endpoint as shown in example below.
More details can be found in document: https://ubisecuredev.atlassian.net/wiki/spaces/IDS20213/pages/4452582184
Â