AW: Shibboleth 4 IDP: assign attribute resolver to specific flow

Moritz Reichelt MReichelt at
Wed Dec 9 15:25:17 UTC 2020

On 12/9/20, 9:13 AM, "users on behalf of Moritz Reichelt"
<users-bounces at on behalf of MReichelt at> wrote:

>    I have two login flows: authn/Password and authn/PasswordLDAP.

I would also add, absolutely do NOT do any of that. The Password flow in 4.0
already does whatever it is you're trying to do there (and doing in an
almost certainly unsupported way) without needing to duplicate a flow and
turn it into separate ones.

-- Scott

Let me explain why I created my own login flow: 
We have two login sources which the IDP needs to query in row. One is an
Active Directory running on a remote server and the second one is a MySQL
database running on the same server as the IDP. Some users are stored in the
Active Directory, some in the database. I absolutely cannot combine both
sources into one, which would of course make things a lot easier, but
unfortunately I am not allowed to do so.

Therefore I have created a PasswordLDAP flow to query the ActiveDirectory
and I use the standard Password flow to query the local DB. What I want is
the following: 
when the user tries to login, his credentials should be checked using the AD
first. If that succeeds, authentication succeeds. If it fails, the local DB
should be checked next. If that lookup succeeds, he gets authenticated too.
If both sources fail, the authentication fails.

For that reason I cannot use just the standard Password flow, as it only
allows to check one source.

Now I have two login flows and I combined them in a
MultiFactorAuthentication flow to achieve the behaviour described above. I
created two DataConnectors to resolve attributes. I need two because the
users data is stored in different ways in the AD and the database. However,
I cannot specify which DataConnector should be used to resolve attributes
(depending on the flow that was used), which I need to determine whether
authentication failed or succeeded. 

 I'm sorry to write such a long text, but that is my core problem now: 
when I put both DataConnectors in the attribute-resolvers.xml file, the
ActiveDirectory query works fine and attributes are sent to my Service
Provider, but querying the database results in a Runtime Exception being
thrown, with no explaining error message. I will append the stack trace to
this email.
Therefore I was asking how to separate the attribute-resolvers.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: stack trace.txt
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2927 bytes
Desc: not available
URL: <>

More information about the users mailing list