supported principals and MFA

Wessel, Keith kwessel at
Thu Aug 19 20:15:00 UTC 2021

Glad to hear I was barking up the right tree by setting that. I didn't see a mention of that in the MFA documentation on the wiki. So, it was just a guess.

But unfortunately, no, it's only set once:

[root at d7af2f147b92 shibboleth-idp]# grep -lr AuthenticationPrincipalWeightMap .

And only once in conf/authn/authn-comparison.xml.

Other thoughts? Is my map entry definition from my last email? If nothing else, what class do I need to turn up logging for if I want to see the authn context class ref selection logic in action?


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Thursday, August 19, 2021 3:06 PM
To: Shib Users <users at>
Subject: Re: supported principals and MFA

The weight map is always neceessary. The only time you have any control over what's returned is when the SP requests something directly or otherwise, otherwise it's indeterminate and is simply one of the values present in the Subject.

There's no change in that. The bean just had to move by default because the old spot for it was in a file I removed.

>    It didn't change anything.

It works, I'm using it. I just checked to make sure I didn't overlook a regression. I would suspect maybe you have multiple copies of it, otherwise it's just not what you're using for some other reason.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!pBebAHTbUa5SD8JHRmuVi-Owhi3It2lz9W8acZ-7K6XZ92ZJXbeET97rLUKdRs3EFA$ 
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list