HOW TO: Customize the SAML Authn Request to conditionally set the "Create AuthnContextClass" flag - Support and Troubleshooting

HOW TO: Customize the SAML Authn Request to conditionally set the "Create AuthnContextClass" flag Issue This request is from customers with IDP policy of SAML Request as followed:

Seamless instance login with SSO: SAML request needs 'AuthnContextClass' to be removed e-signature approval with SSO: SAML request needs 'AuthnContextClass' to be visible. Example of 'AuthnContextClass' in the SAML request:

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Facts The use case is being accomplished here is seamless login (SSO) for instance login and requiring user to enter credentials for e-signature approvals. Background on "Create AuthnContextClass" flag: To enable the instance to send an authentication context class request to the IdP containing your instance's preferred authentication request format. https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/saml/task/t_OptEnableProvidingAuthContxtClass.html

Release Xanadu Patch 5

Resolution The following code needs to be added to SAML2_custom_esig script include to add AuthnContextClass conditionally. Force AuthnRequest should not be checked in the corresponding IDP record Create AuthnContextClass should not be checked in the corresponding IDP record and the value added in the modified code for AuthnContextClassRef Method is given as default i.e " urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport ". If there is a change in this value, a corresponding change should be made in the below customized code as well.

//Overriding doAuthnRequest from saml2_internal script include doAuthnRequest: function() { var authGenerationOptions = this.getAuthnOptions(); this.glidesaml2api.setAuthnOptions(authGenerationOptions); this.glidesaml2api.buildHTTPAuthnRequest(); if (!this.isOk()) return this.glidesaml2api.getErrorCode(); //Customisation begins /* Code to add AuthnContextClass tag to the saml request. Please note that the Create AuthnContextClass should NOT be checked in the corresponding IDP record. We will append the below tag along with the saml request. urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport */ //1) Get the Generated request element DOM var requestDOM = this.glidesaml2api.getGeneratedReqElemDOM(); //2) Create the desired tag var elementRequestedAuthnContext = GlideXMLUtil.createTextElement(requestDOM, "saml2p:RequestedAuthnContext", ""); /*"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" is default value in AuthnContextClassRef Method in the idp record. Please note that if the value of the field is changed, the 3rd parameter in the below code i.e the value should also be changed. */ var elementAuthnContextClassRef = GlideXMLUtil.createTextElement(elementRequestedAuthnContext, "saml2:AuthnContextClassRef", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"); elementRequestedAuthnContext.setAttribute("Comparison", "exact"); elementAuthnContextClassRef.setAttribute("xmlns:saml2", "urn:oasis:names:tc:SAML:2.0:assertion"); //3) Set the customised request element DOM. this.glidesaml2api.setCustomizedReqElemDOM(requestDOM); //Customisation ends return this.glidesaml2api.getGeneratedHTTPRequest(); },