Multiple login handlers and Shib-Authentication-Method attribute behavior

Stefan Wold ratler at
Fri Sep 2 17:59:32 BST 2011


I have an issue that confuse me quite a bit, not sure if its intended to 
work this way, if its a bug or if I just configured something wrong. I 
have two login handlers, one is UserPassword the other is MultiFactor 
(2FA). My SP then request MultiFactor to be used which work great, I get 
the correct login handler and form from the IdP, if I complete the login 
I get the header Shib-Authentication-Method = 
urn:oasis:names:tc:SAML:2.0:ac:classes:Token as to be expected.

But if I change my auth context before logging in with 2FA by modifying 
the url from /MultiFactor to /UserPassword and then complete the login 
request using only one factor I still get Shib-Authentication-Method = 
urn:oasis:names:tc:SAML:2.0:ac:classes:Token. I would have expected
Shib-Authentication-Method = 

This means I can't rely on Shib-Authentication-Method do determine if 
the user logged in with a secure method to access some content. Have I 
misunderstood something here?

Another related question, I know it's possible to set a 
defaultAuthenticationMethod in RelyingParty, but is there anyway to 
enforce it rather than allowing the SP to override it?


Stefan Wold

More information about the users mailing list