SAML Authentication Request approved authentication methods

When a user accesses a protected Grid resource which triggers the need for authentication, the SAML Session Provider generates an authentication request (called AuthnRequest). The AuthnRequest is sent to the Identity Provider (IdP). Included in the AuthnRequest is information about how the authentication may be conducted. This information consists of two properties: RequestedAuthnContext and Comparison.

The RequestedAuthnContext defines the suggested authentication method. The following values are possible, in order of least secure first:

  • "Username/Password": Authentication by using a username and password over an unprotected session.

  • "Password Protected Transport": Authentication by using a username and password over a protected session.

  • "Transport Layer Security (TLS) Client": Authentication by means of a client certificate, secured with the SSL/TLS transport.

  • "X.509 Certificate": Authentication by means of a digital signature where the key was validated as part of an X.509 Public Key Infrastructure.

  • "Integrated Windows Authentication": Authentication by using Integrated Windows Authentication.

  • "Kerberos": Authentication using Kerberos.

The Comparison property defines if more than one authentication contexts can be used, and which. The following values are possible:

  • "exact": Only the provided authentication level is allowed.

  • "better": Must be stronger than the provided authentication level.

  • "minimum": At least as strong as the provided authentication level.

  • "maximum": Not stronger than the provided authentication level.

Note that the Identity Provider may not support any authentication method specified in the AuthnRequest. In this case, the properties must be reconfigured for authentication to work.

The authentication method properties can be configured during installation. For more information, see the applicable installation instructions. The default value for RequestedAuthnContext is "Password Protected Transport", and for Comparison the default is "minimum".

The authentication method properties can be modified after the installation. To change the properties:

  1. Start the Grid Management UI and access the Configuration Manager.
  2. Click on "Applications" and select "SAML Session Provider".
  3. Click on "Edit Properties".
  4. Expand the "SP" property group and identify the "Requested Authentication Level" and "Requested Authentication Comparison" properties. Click on the value and change it to the proper value and click "Update property".
  5. Click the Save button to confirm the changes.