Skip to content

Authenticating authority

The AuthnContext element in the SAML authentication response identifies the whole authentication context. This element can contain an AuthenticatingAuthority field, which we use to inform the SAML Service Provider which external IDP was used by the end-user to authenticate. This feature only works when a new session is created and not for step-up authentication.

The following URN is provided for authentications with an external IDP: urn:com:onegini:saml:idp-alias:<IDP_ALIAS>, where <IDP_ALIAS> is the unique Identity Provider alias. This alias is configured during the IdP creation and is visible in the admin panel.

For internal login methods like action token or QR login following fixed value is provided: urn:com:onegini:saml:idp:<LOGIN_METHOD_ID>

Login method name LOGIN_METHOD_ID
QR login qr
Action Token Login action_token_login
Action Token App2Web action_token_app2web

Example of an authentication with DigiD:

<saml2:AuthnStatement AuthnInstant="2022-05-18T11:26:17.341Z" SessionIndex="ab16fc36-3095-4e72-9936-114e28369546">