{"id":11622,"date":"2025-08-19T21:20:48","date_gmt":"2025-08-20T02:20:48","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=11622"},"modified":"2025-08-19T21:20:48","modified_gmt":"2025-08-20T02:20:48","slug":"pingfederate-ognl-customization-of-authncontext","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=11622","title":{"rendered":"PingFederate \u2013 OGNL Customization of AuthnContext"},"content":{"rendered":"

After a recent merger, we have added federated authentication in our PingFederate environment that allows the incoming company to continue to use their Entra (ADFS) logon process to authenticate through PingFederate. All of the IDs exist in our directory, and contract attributes are populated based on the local account. But the authentication<\/em> is handled by their existing system. It\u2019s really cool, and works for 99.9% of the applications. One, however, was not happy with the resultant attribute contract. It worked fine for me, logging in directly with PingFederate. Anyone who authenticated through Entra, however, got a very specific error:<\/p>\n

AuthenticatingAuthority array contains a value which is not a wellformed absolute uri<\/strong><\/p>\n

And, yes, I concur \u2013 there is absolutely an element in the AuthenticatingAuthority array that is not a well-formed absolute URI<\/p>\n

<\/p>\n

Luckily, there appears to be a solution. On the ACS URL tab, select \u201cShow Advanced Customizations\u201d<\/p>\n

\"A<\/p>\n

Use the drop-down to select the message type of \u201cAssertionType\u201d and the expression provided at https:\/\/support.pingidentity.com\/s\/article\/OGNL-Examples-Message-Customization#rm-authauthority<\/a> to remove authenticating authority values when multiple are present (which also works when only one is present)<\/p>\n

\"A<\/p>\n

Now I no longer have authenticating authorities but<\/em> the AuthnContextClassRef is “urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony\u201d \u2026 so, in the assertion creation, we need to add SAML_AUTHN_CTX to the attribute contract<\/p>\n

\"A<\/p>\n

In the attribute contract fulfillment, map this to a static TEXT string \u2013 I am using \u201curn:oasis:names:tc:SAML:2.0:ac:classes:unspecified\u201d which is used as the default in PingFederate<\/p>\n

<\/p>\n

Final Answer! I have an AuthnContext that does not contain any invalid URI strings and<\/em> a AuthnContextClassRef that is expected.<\/p>\n

<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

After a recent merger, we have added federated authentication in our PingFederate environment that allows the incoming company to continue to use their Entra (ADFS) logon process to authenticate through PingFederate. All of the IDs exist in our directory, and contract attributes are populated based on the local account. But the authentication is handled by …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2114],"tags":[2116,2115,2117,2118],"class_list":["post-11622","post","type-post","status-publish","format-standard","hentry","category-pingfederate","tag-ognl","tag-ping","tag-pingfed","tag-pingfederate"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11622","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11622"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11622\/revisions"}],"predecessor-version":[{"id":11629,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11622\/revisions\/11629"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11622"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11622"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11622"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}