Applying MD driven and configured post-authentication flows

Ian Bobbitt ibobbitt at
Mon Nov 26 15:35:03 EST 2018

What's the best way to apply both metadata driven and IdP configured post-authentication flows?

In my case, I want to apply the expiring-password intercept to all SPs, and a few SPs need custom context check intercepts.

Adding an Attribute with Name to the metadata for a SP seems
to replace all p:authenticationFlows configured on SAML2.SSO.MDDriven in the relying party config rather than merging
like I was hoping.

I control all of the metadata here, so I don't need to sanitize external input by indirect filtering on tags, unless
that ends up being easier.

-- Ian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4090 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the users mailing list