Modifying Requested Authn Context

When a user accesses a protected resource in grid which triggers the need for authentication, an authentication request (AuthnRequest) is generated and sent to the Identity Provider (IdP). The AuthnRequest includes information about how the authentication may be conducted in terms of RequestedAuthnContext and Comparison.

The RequestedAuthnContext specifies the recommended authentication method. The available methods, listed from least secure to most secure, are as follows:
  • Username/Password - This authentication method uses a username and a password over an unprotected session.
  • Password Protected Transport - This authentication method uses a username and a password over a protected session.
  • Transport Layer Security (TLS) Client - This authentication method uses a client certificate, secured with SSL/TLS transport.
  • X.509 Certificate - This authentication method uses a digital signature where the key is validated as part of an X.509 Public Key Infrastructure.
  • Integrated Windows Authentication - This authentication method uses the Integrated Windows Authentication.
  • Kerberos - This authentication method uses Kerberos.
The Comparison property determines whether multiple authentication contexts can be used and specifies which ones. The available values are:
  • exact - Only the specified authentication level is allowed.
  • better - The authentication level must be stronger than the specified one.
  • minimum - The authentication level must be at least as strong as the specified one.
  • maximum - The authentication level must not exceed the specified one.
Note: If the Identity Provider does not support any authentication methods specified in the AuthnRequest, reconfiguration of the properties is necessary for authentication to function correctly.
Note: The default value for RequestedAuthnContext is Password Protected Transport, and the default for Comparison is minimum. Ensure that the configured authentication method is supported by the Identity Provider.

The authentication method properties can be modified after the installation. To change the properties:

  1. From Grid Management Pages > Security > SAML, click Service Provider.
  2. Click Edit.
  3. Select the applicable option from Requested Authn Context Class Ref.
  4. Select the applicable option from Requested Authn Context Comparison.
  5. Click Save to confirm the changes.