Per spec on page 22 in https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf authentication context class references should be valid URIs. While I think there's little value to parsing an ACR as a URI and validating it's in that format, some SAML libraries do and the proxied assertion will fail at the relying party.
I'd recommend using urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified as the example for fallback mapping in acr_mapping documentation and indicating that other mappings should be valid URIs as well. I'm not tied to any particular mapping choice, I'd just like the examples to be well-formed URIs to save users some potential debugging.
All Submissions:
[x] Have you checked to ensure there aren't other open Pull Requests for the same update/change?
[x] Have you added an explanation of what problem you are trying to solve with this PR?
[x] Have you added information on what your changes do and why you chose this as your solution?
c00kiemon5ter
commented
2 months ago
Per spec on page 22 in https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf authentication context class references should be valid URIs. While I think there's little value to parsing an ACR as a URI and validating it's in that format, some SAML libraries do and the proxied assertion will fail at the relying party.
I'd recommend using urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified as the example for fallback mapping in acr_mapping documentation and indicating that other mappings should be valid URIs as well. I'm not tied to any particular mapping choice, I'd just like the examples to be well-formed URIs to save users some potential debugging.
All Submissions: