HOW TO: Customize the SAML Authn Request to conditionally set the "Create AuthnContextClass" flagIssue This request is from customers with IDP policy of SAML Request as followed: Seamless instance login with SSO: SAML request needs 'AuthnContextClass' to be removede-signature approval with SSO: SAML request needs 'AuthnContextClass' to be visible. Example of 'AuthnContextClass' in the SAML request: <saml2p:RequestedAuthnContext Comparison="exact"> <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2p:RequestedAuthnContext> FactsThe use case is being accomplished here is seamless login (SSO) for instance login and requiring user to enter credentials for e-signature approvals.Background on "Create AuthnContextClass" flag: To enable the instance to send an authentication context class request to the IdP containing your instance's preferred authentication request format. https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/saml/task/t_OptEnableProvidingAuthContxtClass.htmlReleaseXanadu Patch 5ResolutionThe following code needs to be added to SAML2_custom_esig script include to add AuthnContextClass conditionally.Force AuthnRequest should not be checked in the corresponding IDP recordCreate AuthnContextClass should not be checked in the corresponding IDP record and the value added in the modified code for AuthnContextClassRef Method is given as default i.e "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport". If there is a change in this value, a corresponding change should be made in the below customized code as well. //Overriding doAuthnRequest from saml2_internal script include doAuthnRequest: function() { var authGenerationOptions = this.getAuthnOptions(); this.glidesaml2api.setAuthnOptions(authGenerationOptions); this.glidesaml2api.buildHTTPAuthnRequest(); if (!this.isOk()) return this.glidesaml2api.getErrorCode(); //Customisation begins /* Code to add AuthnContextClass tag to the saml request. Please note that the Create AuthnContextClass should NOT be checked in the corresponding IDP record. We will append the below tag along with the saml request. <saml2p:RequestedAuthnContext Comparison="exact"> <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml2:AuthnContextClassRef> </saml2p:RequestedAuthnContext> */ //1) Get the Generated request element DOM var requestDOM = this.glidesaml2api.getGeneratedReqElemDOM(); //2) Create the desired tag var elementRequestedAuthnContext = GlideXMLUtil.createTextElement(requestDOM, "saml2p:RequestedAuthnContext", ""); /*"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" is default value in AuthnContextClassRef Method in the idp record. Please note that if the value of the field is changed, the 3rd parameter in the below code i.e the value should also be changed. */ var elementAuthnContextClassRef = GlideXMLUtil.createTextElement(elementRequestedAuthnContext, "saml2:AuthnContextClassRef", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"); elementRequestedAuthnContext.setAttribute("Comparison", "exact"); elementAuthnContextClassRef.setAttribute("xmlns:saml2", "urn:oasis:names:tc:SAML:2.0:assertion"); //3) Set the customised request element DOM. this.glidesaml2api.setCustomizedReqElemDOM(requestDOM); //Customisation ends return this.glidesaml2api.getGeneratedHTTPRequest(); },