issue with ?

Cantor, Scott cantor.2 at
Tue Aug 18 18:42:38 EDT 2015

On 8/18/15, 6:01 PM, "users on behalf of IAM David Bantz" <users-bounces at on behalf of dabantz at> wrote:

>That's an interesting hint David.  The request received by my IdP has 2 contexts listed in the request:

Unspecified is an outlier, but the other one means that your IdP MUST respond with PPT or an error. If it's sending anything else back, it's misconfigured. V3 is a little more strict about this and should prevent a bad response from going back out in most cases.

>I'm returning for my own login attempt an indication of MCB/duo in AuthnContextClassRef:

You can't do that and be spec-compliant if the request specified something else.

>      </saml2:AuthnContext>...
>and for non 2-factor user, I'm returning simply "Password" in AuthnContextClassRef:

Similarly invalid even though as humans we know those are similar.

>I should be forcing the context to PPT?  

Well, you shouldn't have to force it, it should fall out of the configuration and which methods it runs. But adding things like Duo into the picture make this very difficult to get right, brutally so.

-- Scott

More information about the users mailing list