issue with ?

David Langenberg davel at
Tue Aug 18 20:01:14 EDT 2015

On Tue, Aug 18, 2015 at 6:30 PM, IAM David Bantz <dabantz at> wrote:

> On Tue, Aug 18, 2015 at 2:34 PM, David Langenberg <davel at>
> wrote:
>> You must force it to PPT or they will reject it. We wound up tweaking our
>> config to make sure we send PPT rather than Password.
> Uncle! RelyingParty config with defaultAuthenticationMethod does not force
> the AuthnContextRefClass to PPT and in any case doesn't address Duo 2FA
> users.  Please give me a hint on how to "force [AuthnContextRefClass in
> outgoing SAML] to PPT" for a relying party. Perhaps a clever config in
> multi-context-broker.xml ?

I wish I could show you something cool & clever.  Unfortunately, I had to
in the end eliminate Password from anywhere in my configs (only using PPT)
and then gave my users a choice.  The distasteful choice was could use or they could be defaulted to 2FA.  Those who were negatively
affected chose to opt-out of electing to force Duo.  Now, that said, things
seem to work properly under IdPv3 ( seems to at least see me).
I'll see if I can track down somebody who uses the site & get them to try


David Langenberg
Identity & Access Management Architect
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list