New 3.2 bean shibboleth.IgnoredContexts

Cantor, Scott cantor.2 at
Fri Dec 4 10:36:43 EST 2015

On 12/4/15, 10:15 AM, "users on behalf of Michael A Grady" <users-bounces at on behalf of mgrady at> wrote:

>So I noticed the new 3.2 bean called shibboleth.IgnoredContexts. 
>- Could that be used to force a 2FA method (e.g. Duo) even if an SP explicitly includes a request for PPT, by specifying PPT in that list?   (And specifying a defaultAuthenticationMethods of 2FA for the SP in relying-party, of course.)  

That isn't standards compliant (and neither is ignoring unspecified, strictly speaking, so I fixed the bug by just implementing an ignore list rather than hardcoding it). There's no provision in SAML for ignoring a requested context. Unspecified is a special case because it just doesn't make any sense (and it's a bug that it's in SAML in the first place, but I wasn't dealing with programmers who could understand why "null indicators" in specs don't work unless the field could never *be* null)

The reason for the feature was just to allow people to manipulate this if there's an interop problem they can't solve any other way.

>- Are there are any "negative impacts" of that, as long as PPT is otherwise the default method, and the Duo flow is configured to satisfy that also?

A Duo flow can only satisfy that if it guarantees that a password was collected. But yes, if you start messing with the spec, you're going to break stuff.

>- Would the requested authn context (e.g. PPT) still be returned in the Authn Response?

Almost certainly not.

>- Can ignoredContexts be done on a per-SP basis? (Activation condition?)


-- Scott

More information about the users mailing list