Need to modify AuthnContextClassRef in ExternalAuth

Stefan Santesson stefan at
Mon Dec 14 09:04:28 EST 2015


Recently I had a question here about the feature in V2 IdP that allowed you to set AuthnContextClassRed in the ExternalAuthn module.

I was told that this feature was deliberately removed from V3, that you needed to commit to one class ref before selecting authentication flow and then stick to that and return this class ref in the assertion.

This may turn out to be a major obstacle when trying to use Shib as base for a cross-border proxy IdP node in the context of the EU eIDAS regulation.
When my node receives a request for authentication that is forward to another country node, I don’t know beforehand what I will return from the other country. The ExternalAuthn module in my proxy node acts as a SP requestor to the SAML node in the other country. When it receives an assertion back it need to decide what AuthnContextClassRef that will be returned in its response to the original SP.

Is there any chance of solving this issue without rewriting the code of Shibboleth IdP?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list