authncontextclass

bhl104
Kilo Explorer

Hello -

I am trying to figure out how to clear the following errors when I run the "Test Connection"on my SSO properties page.

Error seems to be complaining about the AuthContextClass configuration.

In the the limited discovery that I have done I found this link, but I need some guidance.

Running Hels P3.

Thanks for your review/response,

Brian Ladrido

Penn State Service Management DevOps

7 REPLIES 7

Thanks Ankur!



I've set the checkbox to false, and wiped out the value in AuthnContextClassRef Method. Still doesn't work.


Hi Sakshi,



Can you mark the checkbox as true and populate the value for AuthContextClass as "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" and check it once.



Regards


Ankur


Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

Hi Sakshi,



There is some relevant documentation at the end of this post.



If you are shooting for forms based authentication you should


set Create AuthnContextClass = true


and set AuthnContextClassRef Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport


Then troubleshoot based on the error messages you see with sso debug enabled




If on the other hand you are shooting for windows based authentication based on the user id and password you supplied to authenticate via a windows domain controller



set Create AuthnContextClass = true


and set AuthnContextClassRef Method urn:federation:authentication:windows


Then troubleshoot based on the error messages you see with sso debug enabled




If you would like either, you should test both options as above and then


set Create AuthnContextClass = false and let the IDP decide between the two.




Relevant documentation:


https://docs.servicenow.com/bundle/helsinki-servicenow-platform/page/integrate/saml/task/t_OptEnable...



You can enable the instance to send an authentication context class request to the IdP containing your instance's preferred authentication request format.



Before you begin


Role required: admin


About this task


If you enable creating an AuthContextClass message, then you must also specify an authentication context class reference format.


Note: Some IdP's do not allow the Service Provider to set the authentication context class. Disabling this setting allows the IdP to choose the authentication context class.


Procedure


  1. From the property Create an AuthnContextClass request in the AuthnRequest statement, select Yes to specify a particular context class such as Password Protected Transport, or select No to have the IdP select the most appropriate context class.
  2. If you selected Yes to Create an AuthnContextClass request in the AuthnRequest statement, then in The AuthnContextClassRef method that we will request in our SAML 2.0 AuthnRequest to the Identity Provider property, enter the URN of the context class you want to use for authentication (see table).
    Authentication typeAuthentication context class URN
    Forms-based authenticationurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    Kerberos-based authenticationurn:federation:authentication:windows
    By default, the integration uses a Password Protected Transport authentication method.
  3. Click Update.