Export (0) Print
Expand All

Supported SAML Authentication Context Classes and Strengths

Active Directory Federation Services 2.0

This topic provides information about the SAML authentication context classes that Active Directory® Federation Services (AD FS) 2.0 supports, and about how AD FS 2.0 interprets the relative strength of different authentication methods when it evaluates a requested authentication context.

SAML authentication context classes are URIs that specify authentication methods in SAML authentication requests and authentication statements. They are defined in section 3.4 of the Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 Specification (http://go.microsoft.com/fwlink/?LinkId=217497). Only a subset of the authentication context classes defined in this specification is supported by AD FS 2.0.

Supported SAML Authentication Context Classes

Authentication Method Authentication Context Class URI

User Name and Password

urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Password Protected Transport

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Transport Layer Security (TLS) Client

urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient

X.509 Certificate

urn:oasis:names:tc:SAML:2.0:ac:classes:X509

Integrated Windows Authentication

urn:federation:authentication:windows

Kerberos

urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

In RP-initiated sign-on, a relying party (RP) can specify the Comparison attribute on a <RequestedAuthnContext> element to indicate how the authentication context should be evaluated based on the relative strengths of the authentication context classes specified in the request and the authentication methods offered by an IdP. If no Comparison attribute is specified, a value of “Exact” is assumed. (In IdP-initiated sign-on from AD FS 2.0, the equivalent behavior is implemented by setting the Comparison property on the RequestedAuthenticationContext passed in the SignOnRequestParameters to the SignIn method.)

When processing a SAML authentication request, the interpretation of the relative strengths of the different authentication context classes included in a requested authentication context is up to the responder. AD FS 2.0 interprets the relative strength of different authentication context classes according to the order in which they are configured in the Authentication Context Order settings. These settings are exposed as the AuthenticationContextOrder property of the ServiceProperties object and can be viewed using the Get-ADFSProperties cmdlet or set using the Set-ADFSProperties cmdlet. The following shows the relative strengths of the authentication context classes set in the default Authentication Context Order settings. The classes are listed in ascending order of strength (weakest first).

urn:oasis:names:tc:SAML:2.0:ac:classes:Password
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
urn:federation:authentication:windows
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

The following example shows a Windows PowerShell command (and output) that lists the current Authentication Context Order settings (the context classes are listed in ascending order of strength).

PS C:\Windows\System32> Get-ADFSProperties | select-object -expandProperty AuthenticationContextOrder | select-object -Property AbsoluteUri

AbsoluteUri
-----------
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
urn:federation:authentication:windows
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

The following example shows a series of Windows PowerShell commands that can be used to set the Authentication Context Order settings. These commands set the Authentication Context Order settings to the default order; however, you can modify the commands to change the settings. For example, you can reorder the elements in the array to change the relative strengths of the context classes. Note that the first element in the array is the lowest priority setting.

PS: C:Windows\System32> $pwd = new-object system.uri("urn:oasis:names:tc:SAML:2.0:ac:classes:Password")
PS: C:Windows\System32> $pwdtransport = new-object system.uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")
PS: C:Windows\System32> $tls = new-object system.uri("urn:oasis:names:tc:SAML:2.0:ac:classes:TLSCLient")
PS: C:Windows\System32> $x509 = new-object system.uri("urn:oasis:names:tc:SAML:2.0:ac:classes:X509")
PS: C:Windows\System32> $windows = new-object system.uri("urn:federation:authentication:windows")
PS: C:Windows\System32> $kerberos = new-object system.uri("urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos")


PS: C:Windows\System32> [system.uri[]] $newURIs = $pwd, $pwdtransport, $tls, $x509, $windows, $kerberos

PS: C:Windows\System32> Set-ADFSProperties -AuthenticationContextOrder $newURIs

For more information about how AD FS 2.0 processes RP-initiated sign-on requests, see Authentication Handler Overview. For more information about how to specify sign-on parameters in IdP-initiated sign-on requests, see IdpInitiatedSignOnPage Class Overview.

See Also



Show:
© 2014 Microsoft