mfaCtx.isAcceptable() and entity tags

[Cantor, Scott]

Your Attribute is missing the proper NameFormat, so it is not the correct Attribute, and doesn't match anything the IdP looks for. The IdP only auto-decodes Attributes with the URI NameFormat constant, just as the Attribute transoding rules assume URI naming when there's no NameFormat set. V4 caches maps of decoded EntityAttributes instead of requiring every piece of code to constantly walk XML object trees by hand with O(N) searches and XML value conversions.

The "Ignore unmapped" thing is a flag that is false by default for compatibility but set via a proprerty that is set to true for new installs to optimize lookups because new installs are assumed to have no compatibility constraints.

Your tag being wrongly "named", it was not mapped into a decoded IdPAttribute, and so the option has to be false to find it by hand the "old" way.

It is possible to add actual custom transcoding rules for arbitrary EntityAttributes, since they are "just" SAML Attributes, but I did not want to require transcoding rules for just simple string-valued, URI-named EntityAttributes to be treated more efficiently. Those get auto-decoded with an "implicit" rule since URIs are always assumed to be unambiguous in meaning.

Note that it is obviously dangerous to "automatically" operate on non-URI named Attributes. There is no guarantee that "Foo" means the same thing to two systems. (This is also why custom claims and scopes in OIDC are broken and dangerous.)

-- Scott