CHANGELOG.md

+# [18.8.0](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/compare/v18.7.2...v18.8.0) (2025-04-11)
+
+
+### Features
+
+* allow to disable appending and verifying acrs ([1abc84f](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/commit/1abc84f8272049aee760e228330dbf01c7ec59b4))
+
 ## [18.7.2](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/compare/v18.7.1...v18.7.2) (2025-03-06)
 
 

perun-oidc-server-webapp/pom.xml

@@ -21,7 +21,7 @@
 	<parent>
 		<groupId>cz.muni.ics</groupId>
 		<artifactId>perun-oidc-parent</artifactId>
-		<version>18.7.2</version>
+		<version>18.8.0</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml

@@ -75,7 +75,9 @@
 				<prop key="saml.idp.metadataLocation"/> <!-- i.e. /etc/perun/login-cesnet-metadata.xml -->
 				<prop key="saml.idp.metadataUrl"/> <!-- i.e. https://login.cesnet.cz/proxy/module.php/metadata -->
 				<prop key="saml.acrs.reserverdPrefixes">urn:cesnet:</prop>
+				<prop key="saml.acrs.appendAcrs">true</prop>
 				<prop key="saml.acrs.onlyreserved.append">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,https://refeds.org/profile/sfa</prop>
+				<prop key="saml.acrs.verifyAuthnContext">true</prop>
 				<prop key="saml.user.attrIdentifier">eppn</prop><!-- eppn|epuid|eptid|uid|uniqueIdentifier|perunUserId -->
 				<prop key="saml.user.lookup">original_auth</prop><!-- original_auth|perun_user_id|static_ext_source -->
 				<prop key="saml.static_ext_idp"/>
@@ -160,6 +162,7 @@
 		<property name="idpMetadataFile" value="${saml.idp.metadataLocation}"/>
 		<property name="idpMetadataUrl" value="${saml.idp.metadataUrl}"/>
 		<property name="acrReservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
+		<property name="appendAcrs" value="#{'${saml.acrs.appendAcrs}'}"/>
 		<property name="acrsToBeAdded" value="#{'${saml.acrs.onlyreserved.append}'.split('\s*,\s*')}"/>
 		<property name="userIdentifierAttribute" value="${saml.user.attrIdentifier}"/>
 		<property name="userLookupMode" value="${saml.user.lookup}"/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml

@@ -647,6 +647,7 @@
     <bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
         <property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
         <property name="maxAuthenticationAge" value="360"/>
+        <property name="verifyAuthnContext" value="#{'${saml.acrs.verifyAuthnContext}'}"/>
         </bean>
 
     <bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>

perun-oidc-server/pom.xml

@@ -22,7 +22,7 @@
 	<parent>
 		<groupId>cz.muni.ics</groupId>
 		<artifactId>perun-oidc-parent</artifactId>
-		<version>18.7.2</version>
+		<version>18.8.0</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java

@@ -306,7 +306,7 @@ public class PerunSamlEntryPoint extends SAMLEntryPoint {
             }
         }
 
-        if (!hasNonReserved) {
+        if (!hasNonReserved && samlProperties.shouldAppendAcrs()) {
             List<String> toBeAdded = new LinkedList<>(Arrays.asList(samlProperties.getAcrsToBeAdded()));
             log.debug("NO ACR with non reserved prefix found, adding following: {}", toBeAdded);
             acrs.addAll(toBeAdded);

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java

@@ -18,11 +18,19 @@ import java.util.stream.Collectors;
 public class PerunWebSSOProfileConsumerImpl extends WebSSOProfileConsumerImpl {
 
     private Set<String> reservedPrefixes;
+    private String verifyAuthnContext;
+    private boolean shouldVerifyAuthnContext;
 
    public void setReservedPrefixes(Set<String> reservedPrefixes) {
         this.reservedPrefixes = reservedPrefixes;
     }
 
+    public void setVerifyAuthnContext(String verifyAuthnContext) {
+       this.verifyAuthnContext = verifyAuthnContext;
+       this.shouldVerifyAuthnContext = Boolean.parseBoolean(verifyAuthnContext);
+    }
+
+
     @Override
     protected void verifyAuthenticationStatement(AuthnStatement auth,
                                                  RequestedAuthnContext requestedAuthnContext,
@@ -66,7 +74,9 @@ public class PerunWebSSOProfileConsumerImpl extends WebSSOProfileConsumerImpl {
             log.debug("No Requested AuthnContext(s)");
         }
         log.debug("Received AuthnContext: {}", receivedContext.getAuthnContextClassRef().getAuthnContextClassRef());
-        super.verifyAuthnContext(requestedAuthnContext, receivedContext, context);
+        if (shouldVerifyAuthnContext) {
+            super.verifyAuthnContext(requestedAuthnContext, receivedContext, context);
+        }
     }
 
     private boolean filterOutConditionsMet(RequestedAuthnContext requestedAuthnContext) {

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java

@@ -36,6 +36,7 @@ public class SamlProperties implements InitializingBean {
     private String idpMetadataUrl;
     private String[] acrReservedPrefixes;
     private String[] acrsToBeAdded;
+    private String appendAcrs;
     private String userIdentifierAttribute;
     private String userLookupMode;
     private String staticUserExtSource;
@@ -97,4 +98,12 @@ public class SamlProperties implements InitializingBean {
         }
     }
 
+    public void setAppendAcrs(String appendAcrs) {
+        this.appendAcrs = appendAcrs;
+    }
+
+    public boolean shouldAppendAcrs() {
+        return Boolean.parseBoolean(appendAcrs);
+    }
+
 }

pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>cz.muni.ics</groupId>
 	<artifactId>perun-oidc-parent</artifactId>
-	<version>18.7.2</version>
+	<version>18.8.0</version>
 	<packaging>pom</packaging>
 
 	<modules>