Hi everybody,
I am making some progress in building an Apereo CAS demo server with
delegated authentication with SAML2 (for integrating with italian SPID
system).
I am testing against a test IDP instance. I have been able to
generate a compliant SP metadata file (although with some manual
editing).
Now the test IDP instance is complaining about the
SAML AuthnRequest that is receiving from my delegated CAS.
In particular, the AuthnRequest lacks these two keys:
AuthnRequest/NameIDPolicy required key not provided
AuthnRequest/RequestedAuthnContext required key not provided
For reference, the keys should look like this:
<saml2p:NameIDPolicy AllowCreate="false"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
<saml2:AuthnContextClassRef
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword</saml2:AuthnContextClassRef>
<saml2:AuthnContextClassRef
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
How can I configure the server to include "NameIDPolicy" and
"RequestedAuthnContext" keys in the request?
Thanks and regards,
Giacomo
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d921cd7-d863-4494-8092-4db2fcfc85bfn%40apereo.org.
