supported principals and MFA

Cantor, Scott cantor.2 at
Thu Aug 19 20:38:06 UTC 2021

On 8/19/21, 4:15 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    Glad to hear I was barking up the right tree by setting that. I didn't see a mention of that in the MFA
> documentation on the wiki. So, it was just a guess.

It's not specific to MFA.

> Is my map entry definition from my last email? If nothing else, what class do I need to turn up logging for if I
> want to see the authn context class ref selection logic in action?

I doubt it's logged much, it's all pretty low level stuff. It just works in my experience, I don't tend to log things like a sorting call. DEBUG is all there really is.

One of the configs just isn't what you think it is. First thing to do is check for missing commas in the supportedPrincipals properties if they span lines. I get that wrong a lot.

I would probably debug it by diving into the Subject and trying to grok out what's inside it, via the Principal collections and verify that the context classes are actually there. I usually do that with the attribute resolver just because it's relatively flexible and scriptable and reloadable so it's a good way to go attacking objects.

A more complete answer is a debugger in Eclipse of course but I have never actually done that with my running IdP on a server.

-- Scott

More information about the users mailing list