Skip to content

Disable setting RequestedAuthnContext during saml request#2580

Open
jathok wants to merge 1 commit intoMobSF:masterfrom
jathok:fix/remove-request-auth-context
Open

Disable setting RequestedAuthnContext during saml request#2580
jathok wants to merge 1 commit intoMobSF:masterfrom
jathok:fix/remove-request-auth-context

Conversation

@jathok
Copy link

@jathok jathok commented Jan 12, 2026

Describe the Pull Request

Current Behavior

The SAML Python Toolkit request will set the RequestedAuthnContext to 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport', see advanced_settings.json section for "requestedAuthnContext" if the setting is omitted or set to true.

Issue
IdP services will use the RequestedAuthnContext if provided. If the session did not exactly use PasswordProtectedTransport, SSO login will always fail.

Issue Environment

We use Azure Entra as the IdP. The login method is hardened and does not necessarily use PasswordProtectedTransport method, but rather a "stronger" one.

This Entra AADSTS75011 Troubleshooting article describes the issue.

Intend

The RequestAuthNContext should only be set if

  1. The application (MobSF) enforces a minimum amount of security
  2. The context is read and validated afterwards (which is not the case)

Solution

Following Intend Nr. 1, I would change the security setting to enforce AT LEAST PasswordProtectedTransport, therefore changing the requestedAuthnContextComparison to minimum instead of exact.

However, Microsoft explicitly document that Entra SAML applications do not support any other comparison but exact.

The other solution is to disable the RequestedAuthnContext entirely. Since it is optional for the Entra IdP and, from what I could find searching the net, also optional for other IdPs, I suggest to do so by default.

Checklist for PR

  • Run MobSF unit tests and lint tox -e lint,test
  • Tested Working on Linux, Mac, Windows, and Docker
  • Add unit test for any new Web API (Refer: StaticAnalyzer/tests.py)
  • Make sure tests are passing on your PR MobSF tests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant