Use of PasswordProtectedTransport in the request

[Ptr32Void]

Hi,

I am struggling to understand how to configure pysaml2 and add the RequestedAuthnContext in my requests. I have a SP and I would need to add the following SAML assertions in my request during the login:

<samlp:RequestedAuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>

I am struggling because I cannot see a configuration to apply these assertions.
I tried to implement it in different ways in the code but I cannot make it work.
I believe this is possible as I can see it from here:
https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/samlp.py

I can see:
AUTHN_PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password" AUTHN_PASSWORD_PROTECTED = \ "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

I also saw a test here:

pysaml2/tests/test_77_authn_context.py

Line 68 in f22506e

def test_authn_1():

I just do not know how to reference that unfortunately. I have a simple configuration like this:

"service": {
"sp": {
"name": "BLABLA",
"allow_unsolicited": true,
"want_response_signed": false,
"logout_requests_signed": true,
"endpoints": {
"assertion_consumer_service": ["https://mywebste..."],
"single_logout_service": [["https://mywebste...", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"]]
}
}
}

Anybody knows how to perform that request using the "saml:AuthnContextClassRef"?

Thanks.

[peppelinux]

Ciao John,

I removed my previous comment because it was related to SATOSA and out of context here.
Are you using djangosaml2 or are you building a SP from scratch with pysaml2?

Here the solution I adopt for this kind of problem, this is an example of a customized Authentication Request:
https://github.com/peppelinux/Django-Identity/blob/master/djangosaml2_sp/djangosaml2_sp/djangosaml2_spid/views.py#L165

Complimenti per l'italiano, parli meglio di me! ;)
regards

[Ptr32Void]

Hey Peppelinux,

Thanks for getting back to me so quickly. Appreciate your insights.
I am still not super confident on how to implement it.. but let me answer your questions first.
The application is built in Flask and I am using pysaml2 to perform the authentication.

The login code is below:

saml_client = Saml2Client(config=config)
reqid, info = saml_client.prepare_for_authenticate(relay_state=relay_state_info)
for key, value in info['headers']:
        if key is 'Location':
            redirect_url = value
return redirect_url

This will produce something like:

<ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"
                  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
                  AssertionConsumerServiceURL="https://miosp.com/sso/acs"
                  Destination="https://idp.com/oamfed/idp/samlv20"
                  ID="id-HEqpJ9pxzshoZqr4f"
                  IssueInstant="2020-05-17T09:35:40Z"
                  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                  Version="2.0"
                  >
    <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://miosp.com/sso/saml</ns1:Issuer>
    <ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</ns0:AuthnRequest>

What the IDP is expecting is instead:

<ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"
                  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
                  AssertionConsumerServiceURL="https://miosp.com/sso/acs"
                  Destination="https://idp.com/oamfed/idp/samlv20"
                  ID="id-HEqpJ9pxzshoZqr4f"
                  IssueInstant="2020-05-17T09:35:40Z"
                  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                  Version="2.0"
                  >
    <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://miosp.com/sso/saml</ns1:Issuer>
    <ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />

<samlp:RequestedAuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</ns0:AuthnRequest>

As you can see "samlp:RequestedAuthnContext" and "PasswordProtectedTransport" is required.
I took a look at

pysaml2/tests/test_77_authn_context.py

Line 68 in f22506e

def test_authn_1():

and that's what it looks like I should implement, but I am not sure how to pass those parameters afterwards in the "SAMLRequest".

I hope it makes sense.. I'll keep on looking at your code, but if you have additional insights that would definitely be beneficial.

Thanks,
R

[peppelinux]

prepare_for_authenticate is a shortcut.
You can build your AuthnRequest objects with the example I showed to you, it's just more granular, there is the example about how to set a ACR explicitilly

have fun

[peppelinux]

Start from here:
https://github.com/peppelinux/Django-Identity/blob/6cc304d96c5a52d4536b19cfc21d270222e57068/djangosaml2_sp/djangosaml2_sp/djangosaml2_spid/views.py#L143

[Ptr32Void]

Thanks! Yep, I took a look at it.. still navigating the code and trying to apply similar structure to my code. I'll keep you posted

[Ptr32Void]

I solved it. I tried a few ways similar to this https://github.com/peppelinux/Django-Identity/blob/6cc304d96c5a52d4536b19cfc21d270222e57068/djangosaml2_sp/djangosaml2_sp/djangosaml2_spid/views.py#L143 but I also re-used prepare_for_authenticate and kwargs which makes the code more readable.

Thanks a lot @peppelinux