Need to modify AuthnContextClassRef in ExternalAuth

Stefan Santesson stefan at
Fri Dec 18 13:10:56 EST 2015

Hi Scott,

I’m trying to find information about how to do what you suggest.

>You have to turn that off (set shibboleth.authn.External.addDefaultPrincipals to java.lang.Boolean.FALSE) and change that code to add the specific AuthnContextClassRefPrincipal you want it to carry back.

I suppose this is done in external-auth-config.xml

Would this work?

<util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.FALSE" />

>>The effect of this is that if e,g, "” is requested, then this is the context class ref returned in the assertion, given that authentication succeeded.
>That will happen, but that's because it sees all three values in the Subject's principal set, and picks the one to return that satisfies the original request.
>>How can I accept a request with no requested class ref, and determine in the ExternalAuthn servlet, which should be returned?
>By adding the ones you specifically want included and turning off the auto-add setting.

I assume this is done in the Java servlet code when constructing the Subject object.

This is what I currently do:

Principal principal = new UsernamePrincipal(principalName);
            Subject subj = new Subject();

            request.setAttribute(, principalName);
            request.setAttribute(, principal);
            request.setAttribute(, subj);

How do I add the selected AuthnContextClassRef URI?

Sorry if this should be obvious, but if you have any info or examples to point me to, you would save me a lot of research.



More information about the users mailing list