Shib Authn Proxy to Azure and Asserting REFEDS
Cantor, Scott
cantor.2 at osu.edu
Mon Jan 25 13:56:01 UTC 2021
On 1/22/21, 5:03 PM, "users on behalf of Jeffrey Williams via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
> What Azure seems to do instead is return the above AuthnContext and include an attribute
Yes, which is a bug.
> Will it also allow AuthnContextClassRef to be influenced by a value returned in the attribute statement?
No.
I added an additional mechanism to 4.1 to allow a more generic Function to be injected to do the mapping based on access to the entire state tree rather than just the AuthnContext information. I took that route because I don't think it's fair to people proxying to compliant SAML IdPs to have to do extra work because Microsoft continues to abuse and break the standard.
I also added a support class that can run a Predicate and then run one of two separate Functions based on the result. The net of that is that you will be able to wire up a SimpleAttributePredicate and then a shibboleth.Functions.Constant bean to run to return a particular value when the predicate is true.
-- Scott
More information about the users
mailing list