Step up improvement
Considering the following setup:
- SP -> Identify -> ADFS with step-up configured.
- The Identify instance has 3 assurance levels created under Settings > Authentication context method class
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
= 3urn:federation:authentication:windows
= 3http://schemas.microsoft.com/claims/multipleauthn
= 4
- The Identify's SAML 2.0 authentication connection for ADFS has:
- Authentication context method class =
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
- Second factor authentication context method class =
http://schemas.microsoft.com/claims/multipleauthn
- Authentication context method class =
- When the SP sends a request that requires the
http://schemas.microsoft.com/claims/multipleauthn
assurance level (note that because the first factor assurance level is urn:oasis:names:tc:SAML:2.0:ac:classes:Password, Identify sends urn:oasis:names:tc:SAML:2.0:ac:classes:Password to ADFS), ADFS returnsurn:federation:authentication:windows
instead ofurn:oasis:names:tc:SAML:2.0:ac:classes:Password
. In other words, the upstream Identity Provider returns an assurance level that is neither set with the Authentication context method class setting nor the Second factor authentication context method class setting, even though its numeric value (3) equals that of the Authentication context method class setting.
Before this release, Identify would reject the response and send a NoAuthnContext error to the SP. In this release, Identify now accepts a returned assurance level as long as it is defined in Identify and its numeric value is greater than or equal to that of the Authentication context method class setting.