Fun with proxying to AzureAD

Tony Skalski ajs at
Mon Jun 7 18:34:46 UTC 2021

Are you referring to the fact that the SP is requesting the AuthnContextClassRef but Azure is returning
something like "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"?

I dealt with a similar situation with proxying to Google - whose IdP only
returns "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified". See my email
to the list from Feb 24 subject: "addDefaultPrincipals vs
PrincipalProxyResponseMappings". I solved it by adjusting
the PrincipalProxyResponseMappings in conf/authn/authn-comparison.xml -
basically telling the IdP
that urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified is as good
as urn:oasis:names:tc:SAML:2.0:ac:classes:Password.

If there is a way to get Azure to implement
that would be preferable. IIRC someone on one of the Shib NIH MFA calls
mentioned that Microsoft was working on this, but I could be misremembering
things. My solution is not optimal as it somewhat misrepresents the
authentication (in our case MFA is enforced by Google for all accounts),
but I had no hope that Google was going to fix it anytime soon.


On Fri, Jun 4, 2021 at 2:45 PM mat houser <mhouser at> wrote:

> Hello all,
> We're working on proxying our Shib IdP to Azure mostly to get our
> student population enrolled in an MFA solution. Everything appears to be
> working properly except for the business
> breaking things when the user hits the Azure login page.
> I saw that there was a thread around January on this topic, but is there
> any documentation around on what we would need to do to proxy requests
> from SPs that are requiring the MFA context, or does anybody have any
> examples of how other institutions have addressed this issue?
> Thanks in advance,
> -Mat
> --
> -------------
> mat:houser
> mhouser at
> uwm:uits:iam-support
> -------------
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at

*Tony Skalski*
System Administrator | IT

*Office: *507-786-3227 <(507)786-3227>
1510 St. Olaf Avenue Northfield, MN 55057
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list