17411 saml: addition of RequestedAuthnContext option

This werk introduces support for configuring the `<RequestedAuthnContext>`
in SAML authentication. In more deteail, it allows specifying authentication
requirements, including `AuthnContextClassRef` values and `Comparison`
attributes, to ensure greater control over the authentication process.

CMK-12024

Change-Id: I690897e8d70433800fd87186dd68cca2f543f5a0

.werks/17411.md

@@ -0,0 +1,17 @@
+[//]: # (werk v2)
+# saml: addition of RequestedAuthnContext option
+
+key        | value
+---------- | ---
+date       | 2024-12-02T14:09:25+00:00
+version    | 2.4.0b1
+class      | feature
+edition    | cee
+component  | setup
+level      | 1
+compatible | yes
+
+This werk introduces support for configuring the `<RequestedAuthnContext>`
+in SAML authentication. In more deteail, it allows specifying authentication
+requirements, including `AuthnContextClassRef` values and `Comparison`
+attributes, to ensure greater control over the authentication process.

cmk/gui/userdb/_connections.py

@@ -164,6 +164,11 @@ class ContactGroupMapping(TypedDict):
 ROLE_MAPPING = Literal[False] | tuple[Literal[True], tuple[str, Mapping[str, Sequence[str]]]]
 
 
+class SAMLRequestedAuthnContext(TypedDict):
+    comparison: Literal["exact", "minimum", "maximum", "better"]
+    authn_context_class_ref: Sequence[str]
+
+
 class SAMLUserConnectionConfig(UserConnectionConfig, total=True):
     name: str
     description: str
@@ -177,6 +182,7 @@ class SAMLUserConnectionConfig(UserConnectionConfig, total=True):
     connection_timeout: tuple[int, int]  # connection timeout, read timeout
     signature_certificate: SerializedCertificateSpec
     encryption_certificate: NotRequired[SerializedCertificateSpec]
+    requested_authn_context: NotRequired[SAMLRequestedAuthnContext]
     user_id_attribute_name: str
     user_alias_attribute_name: str
     email_attribute_name: str