Authenticating authority¶
The AuthnContext element in the SAML authentication response identifies the whole authentication context. This element can contain an AuthenticatingAuthority field, which we use to inform the SAML Service Provider which external IDP was used by the end-user to authenticate. This feature only works when a new session is created and not for step-up authentication.
The following URN is provided for authentications with an external IDP: urn:com:onegini:saml:idp-alias:<IDP_ALIAS>, where <IDP_ALIAS> is the unique Identity Provider alias. This alias is configured during the IdP creation and is visible in the admin panel.
For internal login methods like action token or QR login following fixed value is provided: urn:com:onegini:saml:idp:<LOGIN_METHOD_ID>
| Login method name | LOGIN_METHOD_ID |
|---|---|
| QR login | qr |
| Action Token Login | action_token_login |
| Action Token App2Web | action_token_app2web |
Example of an authentication with DigiD:
<saml2:AuthnStatement AuthnInstant="2022-05-18T11:26:17.341Z" SessionIndex="ab16fc36-3095-4e72-9936-114e28369546">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority>urn:com:onegini:saml:idp-alias:digid</saml2:AuthenticatingAuthority>
</saml2:AuthnContext>
</saml2:AuthnStatement>