Different authnContextClassRef by different IDP

Vjger vjger69 at gmail.com
Thu Feb 27 11:01:52 EST 2020

we have an SP federated with different IDPs.

One of these is our (by Shib IDP v3), the others are external.

The external block of IDPs requires a specific  authnContextClassRef.

Configuring it by <ApplicationDefaults> tag it works.

Say for example that my ApplicationDefaults is something as

<ApplicationDefaults entityID="https://www.xyz.com"
                         REMOTE_USER="shibattr-uid eppn subject-id
pairwise-id persistent-id"
                         attributePrefix="AJP_" signing="true"

authnContextClassRef="https://www.abc.com" authnContextComparison="minimum">

The problem is that wh have an error on our internal IDP because the
authnContextClassRef is global.

To avoid it we've managed configuration (general-authn.xml) of internal IDP
in this way:

        <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
                        <property name="supportedPrincipals">

c:classRef="https://www.abc.com" />

So we avoid the error but it's not pretty. Is there a way to link specific
AuthnContextClassRef to specific IDP (we use Discovery Service by
<SessionInitiator       type="SAMLDS"> tag)?

Thanks in advance

Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html

More information about the users mailing list