Script the value of the discovery url for SAML auth flow? (discovery-config.xml)

Jeremy A Scott jeremy.scott at
Wed Jul 29 16:49:41 UTC 2020

Hi all,

We have a Proxy IdP for our federation/discovery incapable vendors. We’re using IdPv4 and SAML as the authn type for it, proxying requests, attributes and even MFA contexts to and from the real IdP’s.

We have a vendor who is SAML challenged and their software is a thick client with a limited web browser for login that doesn’t play nicely with our standard federation discovery page.
We don’t know why. They don’t know why. Our customers don’t care and the perception is that our login service is broke and we must fix it.

We built a second discovery service that has dumbed down web elements that will render on any limited built in browser and works with their software. We were able to invoke it when our Proxy was IdPv3 with External Remote User flows for authn, but we’re having a hard time replicating that in v4.

What’d I’d like to do is put some script in there that says ‘When the relying party is this entityid, go to this other discovery service.’ Is that even possible?

In the IdPv4 distribution there’s a file called discovery-config.xml which looks like this this would be the place to do that.
(Script it such that: When relying party is X, go to discovery URL Y, otherwise Z.)

    <!-- Alternatively specify a Function<ProfileRequestContext,String> to return the URL. -->
    <bean id="shibboleth.authn.discoveryURLStrategy"
            parent="shibboleth.ContextFunction.Scripted" factory-method="inlineScript">

However, when I uncomment this section and put in any discovery url value, script etc… I get the following error:

org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'shibboleth.authn.discoveryURLStrategy' defined in file [/opt/shibboleth-idp/system/flows/authn/../../../conf/authn/discovery-config.xml]: Could not resolve parent bean definition 'shibboleth.ContextFunction.Scripted'; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'shibboleth.ContextFunction.Scripted' available

Is there a better way for me to change the discovery URL for SAML authn based on the relying party? (Something in relying-party.xml or, even better, metadata?)

Thanks Much!


Jeremy Scott
Identity and Access Management
Application Integration Services
Division of Information Technology
University of Wisconsin-Madison
jeremy.scott at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list