Can I access AuthnContextClassRef in a flow decision state?

Cantor, Scott cantor.2 at osu.edu
Wed Jun 15 16:41:18 EDT 2016


On 6/15/16, 3:00 PM, "users on behalf of Jim Fox" <users-bounces at shibboleth.net on behalf of fox at washington.edu> wrote:

>I have an authn flow whose bean description specifies supportedPrincipals 
>of PasswordProtectedTransport, Password, and unspecified.

FYI, the latter value will never trigger anything, I don't think.

>When a request 
>arrives asking for AuthnContextClassRef=TimeSyncToken this flow still gets run.

That shouldn't happen. It should check for that and prevent it from running.

>Is there a way in the flow description decision states to access the 
>request's AuthnContextClassRef?  So I can pass on these requests.

It really depends on exactly what question you want it to answer. Brute forcing is possible I suppose, the data is stored below the AuthenticationContext, it's in a subcontext called RequestedPrincipalContext.

But as I say there'd have to be a bug for that to happen at all.

-- Scott




More information about the users mailing list