Need to modify AuthnContextClassRef in ExternalAuth

Stefan Santesson stefan at
Tue Dec 22 10:11:01 EST 2015

In line;

On 22/12/15 15:37, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:

>I didn't really know how to ask what I'm asking. If it's standard SSO, that's what I was trying to find out. I cannot, FWIW, understand how it's physically possible to end up with this error in that case unless you are not in fact using up to date config files due to a problem during an upgrade. That's the only reason I could think of.

I started off doing a regular upgrade, and got this problem. I then changed strategy.
I made a new fresh clean install. I didn’t cope one single config file right over, I just pasted the specific configs I needed for flows, metadata, attribute resolution and attribute filtering.
The files in edit-webapp is (except from the css folder) a copy from my old 3.1.1 install, so I was worried if something in my web.xml could cause this, but I don’t think so.

So every single config file is either standard 3.2.1 or an edited 3.2.1 config file.

Nothing in the system folder has been changed or edited.

>Looking at your log trace, that's my immediate guess. I need to do some comparisons to a correctly working run, but the logging I'm seeing suggests that your config is not in sync. You have older flow config files being used instead of up to date ones. I'm not aware of any way that would be possible. An upgrade will overwrite those files.
>Can you send me a copy of what's in system/flows/saml/saml2/sso-abstract-flow.xml?
>Or really to the point, see if "ClientStorageLoad" appears in that file. If so, I'm pretty lost. But it seems very clear to me you don't have the right files.

The word “ClientStorageLoad" appears in the following parts of sso-abstract-flow.xml

    <action-state id="DoProfileWork">
        <evaluate expression="VerifyChannelBindings" />
        <evaluate expression="PopulateECPContext" />
        <evaluate expression="'proceed'" />
        <transition on="proceed" to="PopulateClientStorageLoadContext" />
    <action-state id="PopulateClientStorageLoadContext">
        <evaluate expression="PopulateClientStorageLoadContext" />
        <evaluate expression="'proceed'" />
        <transition on="proceed" to="ClientStorageLoad" />
        <transition on="NoLoadNeeded" to="CheckInitialAuthentication" />
    <subflow-state id="ClientStorageLoad" subflow="client-storage/read">
        <input name="calledAsSubflow" value="true" />
        <transition on="proceed" to="CheckInitialAuthentication"/>

I can paste the whole content here, but I promise I haven’t messed with it.


>-- Scott
>To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list