Shibboleth IdP 3.4.6 authentication flow configuration

Cantor, Scott cantor.2 at
Fri Jul 17 13:00:37 UTC 2020

It would be simpler if you'd just explain what it is you're trying to get it to do (or not do).

Generally speaking "empty" is never a valid or meaningful value in the configuration. We don't like playing "null != empty" games in the code.

You don't control features being accessible or not by trying to manage authentication in any case. Authentication and authorization are not the same thing, and that remains true within the IdP.

You should also avoid that property anyway. It's there for historical reasons. Controlling which methods are used at runtime to fulfil a request should be accomplished indirectly by expressing requirements more abstractly using the defaultAuthenticationMethods property rather than the authenticationFlows property.

You describe what is required, not how that requirement should be met. That's handled by defining the supportedPrincipals collections on the authentication flows themselves elsewhere, and the IdP marries the two to decide how to do things.

-- Scott

More information about the users mailing list