Shib Authn Proxy to Azure and Asserting REFEDS

Cantor, Scott cantor.2 at
Mon Jan 25 13:56:01 UTC 2021

On 1/22/21, 5:03 PM, "users on behalf of Jeffrey Williams via users" <users-bounces at on behalf of users at> wrote:

>    What Azure seems to do instead is return the above AuthnContext and include an attribute

Yes, which is a bug.

>  Will it also allow AuthnContextClassRef to be influenced by a value returned in the attribute statement?


I added an additional mechanism to 4.1 to allow a more generic Function to be injected to do the mapping based on access to the entire state tree rather than just the AuthnContext information. I took that route because I don't think it's fair to people proxying to compliant SAML IdPs to have to do extra work because Microsoft continues to abuse and break the standard.

I also added a support class that can run a Predicate and then run one of two separate Functions based on the result. The net of that is that you will be able to wire up a SimpleAttributePredicate and then a shibboleth.Functions.Constant bean to run to return a particular value when the predicate is true.

-- Scott

More information about the users mailing list