Need to modify AuthnContextClassRef in ExternalAuth

Cantor, Scott cantor.2 at
Mon Dec 14 09:37:01 EST 2015

On 12/14/15, 9:04 AM, "users on behalf of Stefan Santesson" <users-bounces at on behalf of stefan at> wrote:

>I was told that this feature was deliberately removed from V3, that you needed to commit to one class ref before selecting authentication flow and then stick to that and return this class ref in the assertion.

No, that's how *V2* worked. If you were circumventing that, you could have easily broken the IdP.

V3 models all expressions like this as custom Principals. You can put any Principal objects you want into the Java Subject you return to the flow.

You would have to ensure that all possible contexts were included in the external flow's supportedPrincipals property, turn off the setting that causes it to auto-add them all back into the Subject at the end, and ensure that the correct Principal(s) were included by your code.

-- Scott

More information about the users mailing list