Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Set up SAML authentication context in Digital Access

Owned by Ann Base (Deactivated)
Last updated: Dec 18, 2023 by Josefin Klang (Deactivated)
2 min read

This article includes updates for Smart ID 20.11 and Digital Access 6.3.0.

In a federated scenario where Smart ID Digital Access component works as a SAML identity provider, service providers may ask for a certain Level of Assurance (LoA) by defining one or several corresponding SAML authentication contexts in the request to Digital Access during the authentication. Only those authentication methods that are qualified to provide the corresponding security are then shown to the user. With Digital Access you can assign one or several authentication contexts to each authentication method to define which LoA that is supported by a specific authentication method.

Digital Access only shows those authentication methods during the authentication, whose Authentication Context matches the values in the SAML request.

If none of the authentication methods supports the requested authentication context, all methods are shown to the user. This can happen if the service provider does not ask for a certain authentication context but allows one with higher level of assurance and therefore higher security.

In a SAML federated scenario where Digital Access acts as an IDP proxy, a similar behavior can be achieved by setting the LoA translation group property. LoA translation groups define the conditions when to convert the AuthNContextClassRef in the SAML response to a new value. 

A scenario when LoA translation groups can be useful is when a SAML IDP Proxy is used and the external IDP is unable to send back the expected AuthNContextClassRef. This translation also works in case of Digital Access acting as a SAML IDP.

With Digital Access it is also possible to define authentication contexts used for signing. See Use authentication methods in Digital Access for signing over SAML.

Step-by-step instructions

 Log in to Digital Access Admin
  1. Log in to Digital Access Admin with an administrator account.
 Set up authentication method with authentication context
  1. Set up an authentication method, for example, Swedish Mobile BankID. For more information, see Set up authentication method in Digital Access.
  2. Open the Extended Properties tab.
  3. Click Add Extended Property...
  4. Select SAML Authentication Context from the Key drop-down menu.

  5. Define authentication context(s) as a space separated list in the Value field. For example, http://id.elegnamnden.se/loa/1.0/loa3.

    The most right defined authentication context in the list is sent back to the service provider if the authentication method used for authentication doesn't contain the requested value or if the request contains two or several of the authentication contexts that the authentication methods supports. Because of this, and if you define more than one authentication context, write them in a sorted order from left to right. The highest value at the most right. 

  6. Click Save.
  7. Click Publish.
 Optional: Create access rule
Before the authentication methods that match the authentication context are selected, configured access rules will be validated and pre-filter the list of available authentication methods. To configure access rules for a federation, see Access rules in Digital Access.
 Set up LoA translation groups
  1. Under Manage SAML Federation > Manage Global SAML federation settings, go to the Manage LoA Translation section.
  2. Click Add a Translation group...
  3. Add the Translate To, Translate from values and the SAML federation where you wish to apply this translation.
  4. Click Save.
  5. Click Publish.

Related information

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions