Returning an AuthnContextDecl using Sibboleth3 external auth

Cantor, Scott cantor.2 at
Tue May 12 13:27:57 EDT 2015

On 5/12/15, 1:20 PM, "Stefan Santesson" <stefan at> wrote:
>On 12/05/15 15:49, "Cantor, Scott" <cantor.2 at> wrote:
>>We have no support for AuthnContext declarations, we never have. We
>>support ClassRef or DeclRef (but not both, since that's not legal).
>I think you are wrong here,
>It is definitely allowed by the XML Schema for AuthnContextType
>This may hold both a ClassRes AND a choice between DeclRef or ContextDecl

Yes, you're correct. There is no path in the IdP that will support that. The bean that produces the AuthnStatement populates one or the other, but not both.

-- Scott

More information about the users mailing list