SAML Spécification QoA
Jusqu'à présent, les propriétaires d'applications devaient choisir les méthodes d'authentification exactes (mot de passe, mTAN, AuthApp, Vasco, Kerberos, Smartcard, Mobile ID, clé de sécurité FIDO) que l'utilisateur pouvait utiliser pour accéder à l'application. Avec le nouveau concept QoA, la classe QoA correspondante peut être spécifiée directement dans SAML "authnRequest", ce qui permet de présenter à l'utilisateur toutes les méthodes d'authentification qui correspondent au moins à ce niveau QoA.
Vous trouverez les informations concernant le concept QoA sous : Qualité de l'authentification (QoA)
eIAM "AuthnContextClasses"
Ce sont les nouvelles "AuthnContextClasses" pour demander l'authentification d'un utilisateur :
| Authentication Level | AuthnContextClasses |
|---|
| QoA10 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:10 |
|---|
| QoA20 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:20 |
|---|
| QoA30 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:30 |
|---|
| QoA40 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:40 |
|---|
| QoA50 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:50 |
|---|
| QoA51 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:51 |
|---|
| QoA60 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:60 |
|---|
Exemple d'un demande d'authentification SAML "authnRequest"
urn:eiam.admin.ch:sp:eiamportal:testapplication-dev2-11
DUqT3f3n1/kcWER2TVXvFBFJxKg=
YnA4Wv6guVlSxhpRbOLs4AlEbgYM/M3krAvRkIKXGBzkldshtVV6vMC1cZg7kCt2jT2v8hVgBss9LoTq/3UjXqboX6/SAfrnOd6j4tdLFBBQIGz1n0PkWSofWPAAxBnr3gEQj0v7qDZzEiOjmOX7vAqoVLXsLcsbu10LJmfQnlxoEM9ij3hObiHo29TThZZFTW1uraBydnOY/ev7/rEfOuPJO1YDMcFmNkhi+ffqlXcWBGmjv8BH05Td91T47KfXyGBHwlfqgHMCtgOUWsE2AcG5J1UkttGFo0Em5oa/+ouMKW0OdlXCxINcwtc8b36GEPCF3vf+nUqCr/P6GOB8kw==
MIIEIDCCAwigAwIBAgIBDzANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJjaDEQMA4GA1UEChMH QWRub3Z1bTEXMBUGA1UEAxMOYml0ZWlhbS1kZXYyQ0EwHcNMjAwODE4MTMxODIxWhcNMzAwODE2 MTMxODIxWjA8MQswCQYDVQGEwJjaDEQMA4GA1UEChMHQWRub3Z1bTEbMBkGA1UEAxMSYXV0aFNp Z25lclRlc3RhcHBzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5RIVuFDdqJgDwat9 biWIPyvaDz1QmabjEOBnurv2jNmdanDAF1fwYRnD+Ul2uHewqvYwaFJPTkk2DTMr/OFJu2OKb3Px on3p9ZjsHdcl0b27QTBLPKSdU14rdxy+ri9tVbXxFMASQo0a6hOfa+c/PGmm/UPH0ArPFKtNhsW aWOSgvQID0LfZLSqp6jeat70LTLl6kvctNEqJ1LzGD4eVYzJsr0GuapFvn49pNFaVVMV17avexOP A7RE4+2V2UAfIAfigl18EJml/RbeXgQQ7fxy7XXDa4qk7DcP6WmJD7vNWu5BzeYPzk9otJW8GT7s xUDzcCadGnP3nBkteO4JZwIDAQABo4IBLzCCASswCQYDVR0TBAIwADA/BglghkgBhvhCAQ0EMhYw TmV2aXMgS2V5Qm94IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZSB1c2luZyBPcGVuU1NMMAsGA1UdDwQE AwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBQUHAwIwHQYDVR0OBBYEFPcOc/YIn91O1EOs YaH7RQUDjDfBMGAGA1UdIwRZMFeAFI5PWQEokYEIKCDDqBr/DYHE9yCcoTykOjA4MQswCQYDVQQG EwJjaDEQMA4GA1UEChMHQWRub3Z1bTEXMBUGA1UEAxMOYml0ZWlhbS1yb290Q0GCAQYwEQYJYIZI AYb4QgEBBAQDAgbAMB0GA1UdEQQWMBSCEmF1dGhTaWduZXJUZXN0YXBwczANBgkqhkiG9w0BAQsF AAOCAQEAhGu2tM/Vi48BJCIZVCS5fcR3l/GjzeuBO7rJxRlfnD9PE3Apzn90R/Bv35mQpFHySx/T K12kaMf7QVYOGrKBprg+kai9e56Xs9P1OLgojVqTYMoe786ZyJow7KENdnymOHhPOr+4iFqL0Etf hj4vm5/mpU/oiQmhaCaSl79rLMBpN+Zzz962go/d6cWkPTr+GeJ8A/tAS7yhExvPYmGGUYQTaeXC 56iFeHfgLN9zlAFCDBx0cdXQBCH1Miwn5emuoMfpJIdNscfL//RmCyvw7O9Vj1iX8+rctF4D4T6 PtCMUy15mIh3H3jcGLa1fiM5kevBS0hVXuOms5wlx6AsuQ==
urn:qoa.eiam.admin.ch:names:tc:ac:classes:20
Pour demander un certain niveau de QoA dans une authnRequest SAML, il faut ajouter une AuthnContextClassRef (lignes 26 à 30 dans l'exemple ci-dessus) à la requête. Nous considérons le niveau QoA demandé comme un minimum. Si l'utilisateur atteint un niveau plus élevé, nous l'acceptons et informons l'application dans la réponse.Exemple du "SAML-Response"
urn:eiam.admin.ch:pep:HARRODS-DEV2
Ci+FcNRYDIIXwwR2waNoCUl6P3TWOlytTKo7tIQ6rZw=
EQepX+ogleBb4IsllY+0Gn3NDO475wbvyPmX/rt7OkrKwMDeBKDFMs+YLW6nfFtY0vmQQuyFr5iyixGNjoglnHxr8BjxTtOvZ2hQUaRyUvdPhIKqudXwjrBSXuTn0MKVTte0DsM82mZwsBPJwgFfux6JNGO016ufDGj63jpQPlxCQKs4U4MRI7s65aF7zVtEFpWN8aU5rs6kqKuE9NDagDhzeRo/2d+7hGjjipRoUStfMJSEFyU3IHPA3LI9FUCc3XANdUPMOLVC4sAO/VJ4/YCCY6FLaZ5eB4nJDK+e76v9YRl/p2hC6R2UI0Kf7p4sm4oGSfEhFKWIzZ56HmPlaA==
MIIEFjCCAv6gAwIBAgIBCjANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJjaDEQMA4GA1UEChMH QWRub3Z1bTEXMBUGA1UEAxMOYml0ZWlhbS1kZXYyQ0EwHhcNMjAwODE4MTMxNzU2WhcNMzAwODE2 MTMxNzU2WjA3MQswCQYDVQGEwJjaDEQMA4GA1UEChMHQWRub3Z1bTEWMBQGA1UEAxMNYXV0aFNp Z25lclBFUDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqhL3TD9Ng0ijy1Dy+rP8Kc tVnMHgBhVcTEVCXfypr2BtwBgO66ZVUPzkfsQiCxX64a4qi+5/BFPpo8/A1lw2KjUbuQZffgLFe2 UdS6vMYVcF0bykJ564prtGLTF2LDca247DFSknlnSKJiXBD9B6z8iQ1QXRwLbxR5ZjYFe7Pwo Jok0jIepjqb7590XClyOvkkGLy7pk1ig2tAzlkm97WgvgY1P2bbug3jLObi/wgUACJ/YQ4/YJ8AZ QJuARdyNMGyHLh09bFTNS6r6k2FVBurqqA2VQr3ub/wHvXmIzaqKIMfaDOIGSk+lg14NqXfclL8z Q9EuS9CUCczYWw0CAwEAaOCASowggEmMAkGA1UdEwQCMAAwPwYJYIZIAYb4QgENBDIWME5ldmlz IEtleUJveCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUgdXNpbmcgT3BlblNTTDALBgNVHQ8EBAMCA6gw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTzNo5TUubYZKsY1G2SjT9 U0IuPTBgBgNVHSMEWTBXgBSOT1kBKJGBCCggw6ga/w2BxPcgnKE8pDowODELMAkGA1UEBhMCY2gx EDAOBgNVBAoTB0Fkbm92dW0xFzAVBgNVBAMTDmJpdGVpYW0tcm9vdENBggEGMBEGCWCGSAGG+EIB AQQEAwIGwDAYBgNVHREEETAPgg1hdXRoU2lnbmVyUEVQMA0GCSqGSIb3DQEBCwUAA4IBAQDVqf8p /IZTO87Lfl6QS5i8V1ldm2fF28qwBphTy7qL2x6fUfo5+Tm9ws9ccdS9NKXoeQ1hnPJaNwH9PdCz iUts4z1ZB1aTPcvDB7PmojMmJZPE1PBrmMZWPK/przXTjkCEsjjVUmw0yKy67EHLTX+Z7p0Xy12v hcALq8OOHslsgvZ2oPdE+36qTZ+BU1DyyqJusJW/fW1QbPtdIStfd2q3ykABu5hICugF0EsYJTBW HL0rKmoRTYfnLshTYsf79tjH8fX+Wryr5mVytIo37wsmjsYrHcrhGsFlm64EfSWMK2b7HCBoGYzW HYKazYkhKc+roiAR9EALYlsNkpJ2XfZG
urn:eiam.admin.ch:pep:HARRODS-DEV2
rl7ZUdZqNOVMM0UT/dxA0yiMPELnsO3Z3dzeNengRpM=
g9k9XqeuFu91fWDdaTH8INj1hdi2lN5I/rTaoHjeS9LGktUWC2y7seubCTAO+S0v9GTyytdCq4LzTTHFw627uIeBKxbAQE0KnsiWbvob61UvjoBVW6KGvkK02ou3cQUWsoiUcTUmX/WDBMrSVsJ+Ld7aAK7wnd0Sgn4ynLlDjjwbZH+KjejeW5d9r6Kc8tUm4vsq6mbiOSWxqM9WsNA/cqJaUg9Xr1bKYA8Q6APHmm4b5tyuNOxsZzorobxQzoDtrpYaOQ5w6lQxy74TLoLIP43yhu0dAOttKsquMoJ+bDU1WXYEvWcPhIal/iAhl40QYnUlBIolfRRA75Lt4G8MZg==
MIIEFjCCAv6gAwIBAgIBCjANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJjaDEQMA4GA1UEChMH QWRub3Z1bTEXMBUGA1UEAxMOYml0ZWlhbS1kZXYyQ0EwHcNMjAwODE4MTMxNzU2WhcNMzAwODE2 MTMxNzU2WjA3MQswCQYDVQGEwJjaDEQMA4GA1UEChMHQWRub3Z1bTEWMBQGA1UEAxMNYXV0aFNp Z25lclBFUDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqhL3TD9Ng0ijy1Dy+rP8Kc tVnMHgBhVcTEVCXfypr2BtwBgO66ZVUPzkfsQiCxX64a4qi+5/BFPpo8/A1lw2KjUbuQZffgLFe2 UdS6vMYVcF0bykJ564prtGLTF2LDca247DFSknlnSKJiXBD9B6z8iQ1QXRwLbxR5ZjYFe7Pwo Jok0jIepjqb7590XClyOvkkGLy7pk1ig2tAzlkm97WgvgY1P2bbug3jLObi/wgUACJ/YQ4/YJ8AZ QJuARdyNMGyHLh09bFTNS6r6k2FVBurqqA2VQr3ub/wHvXmIzaqKIMfaDOIGSk+lg14NqXfclL8z Q9EuS9CUCczYWw0CAwEAaOCASowggEmMAkGA1UdEwQCMAAwPwYJYIZIAYb4QgENBDIWME5ldmlz IEtleUJveCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUgdXNpbmcgT3BlblNTTDALBgNVHQ8EBAMCA6gw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTzNo5TUubYZKsY1G2SjT9 U0IuPTBgBgNVHSMEWTBXgBSOT1kBKJGBCCggw6ga/w2BxPcgnKE8pDowODELMAkGA1UEBhMCY2gx EDAOBgNVBAoTB0Fkbm92dW0xFzAVBgNVBAMTDmJpdGVpYW0tcm9vdENBggEGMBEGCWCGSAGG+EIB AQQEAwIGwDAYBgNVHREEETAPgg1hdXRoU2lnbmVyUEVQMA0GCSqGSIb3DQEBCwUAA4IBAQDVqf8p /IZTO87Lfl6QS5i8V1ldm2fF28qwBphTy7qL2x6fUfo5+Tm9ws9ccdS9NKXoeQ1hnPJaNwH9PdCz iUts4z1ZB1aTPcvDB7PmojMmJZPE1PBrmMZWPK/przXTjkCEsjjVUmw0yKy67EHLTX+Z7p0Xy12v hcALq8OOHslsgvZ2oPdE+36qTZ+BU1DyyqJusJW/fW1QbPtdIStfd2q3ykABu5hICugF0EsYJTBW HL0rKmoRTYfnLshTYsf79tjH8fX+Wryr5mVytIo37wsmjsYrHcrhGsFlm64EfSWMK2b7HCBoGYzW HYKazYkhKc+roiAR9EALYlsNkpJ2XfZG
CH99999
urn:eiam.admin.ch:sp:eiamportal:testapplication-dev2-11
urn:qoa.eiam.admin.ch:names:tc:ac:classes:20
CH999999
99999
John
Doe
john.doe@bit.admin.ch
John Doe
fr
99999
CH999999
uid=99999,ou=999.selfreg,ou=999.extern,o=999,o=EIAM,o=ADMIN,c=CH
urn:eiam.admin.ch:idp:e-id:CH-LOGIN-DEV2
true
HARRODS-guestautosilent.ALLOW
HARRODS-guestautosilent-ext.ALLOW
HARRODS-weakautosilent.ALLOW
John
Doe
john.doe@bit.admin.ch
John Doe
fr
99999
999.access-request
AccessRequest
99999
99999\HARRODS-guestautosilent.ALLOW
99999\NHARRODS-guestautosilent-ext.ALLOW
99999\NHARRODS-weakautosilent.ALLOW
99999\999.access-request
99999\Profile-CHL9999999
CHL999999
99999\AccessRequest
CH99999
999
E-ID CH-LOGIN
