The Authentication context defines how a user:
- Should log in (Requested by a Service Provider)
- Has logged in (Specified by the Identity Provider)
The authentication context is a measure of how strong the authentication is.
acr vs amr in OpenIDConnect
An Authentication Context Class specifies a set of business rules that authentications are being requested to satisfy. (example list: https://www.iana.org/assignments/loa-profiles/loa-profiles.xhtml)
These rules can often be satisfied by using a number of different specific authentication methods, either singly or in combination.
Interactions using "acr_values" request that the specified Authentication Context Classes be used and that the result should contain an "acr" claim saying which Authentication Context Class was satisfied. The "acr" claim in the reply states that the business rules for the class were satisfied -- not how they were satisfied.
Note: acr & acr_values are currently not supported by IDHub.
In contrast, interactions using the "amr" claim make statements about the particular authentication methods that were used. This tends to be more brittle than using "acr", since the authentication methods that may be appropriate for a given authentication will vary over time, both because of the evolution of attacks on existing methods and the deployment of new authentication methods.
Authentication Methods: https://tools.ietf.org/html/rfc8176
Authentication Context in SAML
Defines the context of the authentication. Eg:
- The initial user identification mechanisms (for example, face-to-face, online, shared secret).
- The mechanisms for minimizing compromise of credentials (for example, credential renewal frequency, client-side key generation).
- The mechanisms for storing and protecting credentials (for example, smartcard, password rules).
- The authentication mechanism or method (for example, password, certificate-based SSL).
An Authentication context class reference refers to a defined Authentication Context.
Included in this link is a list of pre-defined class references that represent current practices and technologies.
Comparison is an optional parameter that can be supplied by the Service Provider. It indicates what authentication context the user can use, compared to what they expect.
It specifies the comparison method used to evaluate the requested context classes or statements, one of "exact", "minimum", "maximum", or "better". The default is "exact".
Either a set of Authentication Context Class References or a set of declaration references can be used. The set of supplied references MUST be evaluated as an ordered set, where the first element is the most preferred authentication context class or declaration.
- If Comparison is set to "exact" or omitted, then the resulting authentication context in the authentication statement MUST be the exact match of at least one of the authentication contexts specified.
- If Comparison is set to "minimum", then the resulting authentication context in the authentication statement MUST be at least as strong (as deemed by the responder) as one of the authentication contexts specified.
- If Comparison is set to "better", then the resulting authentication context in the authentication statement MUST be stronger (as deemed by the responder) than any one of the authentication contexts specified.
- If Comparison is set to "maximum", then the resulting authentication context in the authentication statement MUST be as strong as possible (as deemed by the responder) without exceeding the strength of at least one of the authentication contexts specified.
Note: IDHub (acting as Identity Provider) currently does not take multiple Authentication Contexts into account. Only the first supplied Authn. Context is checked.
Consequently, it can also only pass one Authentication Context (acting as Service Provider).