Skip to Content
avatar image
Former Member

SAML 2.0 Multiple Authentication contexts


I'm trying to set up a prototype for a SAML 2.0 scenario. The set up includes NW SSO as the SAML Identity Provider and a NW 7.4 Server as the Service Provider. One of the requirement is to have multi-factor authentication during the user authentication, which means that basic password check must be followed by a one time password (OTP) check as well. For this OTP check, we have a specific login module which in a regular authentication (non SAML) scenario works fine as part of an authentication stack.

For the SAML 2.0 scenario, this OTP login module has been assigned to a custom authentication context on the IDP side. The SP's SAML policy has been configured to request this additional auth. context as well. During the SAML authentication, this OTP login module gets called, so that auth. context part of the set up looks correct.

The issue I'm facing is that there is no way to specify the flag for these login modules in the SAML 2.0 scenario, I'd like to set one to 'REQUIRED', and the other one to 'REQUISITE'. SAP NW SSO calls all login modules that are part of the requested authentication context with the 'SUFFICIENT' flag, if any of them is successful, the login will be allowed. So, if I specify a wrong password with a correct OTP, it will let me in or if I specify a correct password with no or incorrect OTP, it will let me in as well.

Class SAML2AuthnContextLoginModule does the processing of these authentication contexts but I don't see any way how it could be influenced to read the flags for those login modules from somewhere or to specify a stack for the contexts similar how the regular auth. stacks can be defined.

Has anybody faced the same issue or been able to resolve it? Any suggestion is welcome.

Thank you,


Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • Oct 14, 2014 at 08:55 PM

    Hi David,

    I guess you can set the login module flags in IDP. On SP side, I remember you can specify which login modules from IDP are mandatory in Trusted Provider tab. Sorry I don't have access to ex-customer's system, and cannot help you further.


    Chenyang Xiong

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hello Chenyang,

      Thank you for your feedback. Unfortunately, there is no setting for these flags on the IDP or SP side with the NW SSO release that we have currently. You can set up the authentication contexts with the assignment to the login modules, the default contexts and policies that contain the supported contexts on the IDP side. On the SP side, you can only request authentication context(s) or use the comparison method to request an exact match, better, etc on the IDP side.

      I'm going to request an upgrade of our NW SSO server to SP3 because SAP has their own OTP login module in SP3 and they must have faced the same issue when they tried to make it work with SAML 2.0, assuming they have a working 2 level authentication SAML 2.0 set up in SP3.


      David Barna