SAML2 Authentication Context Class
Each service may specify a required authentication class, which may overwrite the appropriate field in the ultimate SAML2 response that is sent back to the service provider.
Static
1
2
3
4
5
6
7
8
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "https://spring.io/security/saml-sp",
"name": "SAML",
"id": 1,
"metadataLocation": "/path/to/sp-metadata.xml",
"requiredAuthenticationContextClass": "https://refeds.org/profile/mfa",
}
Groovy
You can always manipulate the authentication context class in more dynamic ways using a Groovy script:
1
2
3
4
5
6
7
8
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "https://spring.io/security/saml-sp",
"name": "SAML",
"id": 1,
"metadataLocation": "/path/to/sp-metadata.xml",
"requiredAuthenticationContextClass": "file:///path/to/GroovyScript.groovy",
}
The script itself may be designed as:
1
2
3
4
5
6
7
8
9
10
11
12
import org.apereo.cas.support.saml.web.idp.profile.builders.*
def run(final Object... args) {
def samlContext = args[0] as SamlProfileBuilderContext
def logger = args[1]
logger.info("Building context for entity {}", samlContext.adaptor.entityId)
/**
This is where you calculate the final context class...
*/
return "https://refeds.org/profile/mfa"
}
Custom
It is possible to design and inject your authentication context class builder
into CAS using the following @Bean
that would be registered in a @AutoConfiguration
class:
1
2
3
4
@Bean
public SamlProfileAuthnContextClassRefBuilder defaultAuthnContextClassRefBuilder() {
return new MyBuilder();
}
Your configuration class needs to be registered with CAS. See this guide for better details.