Fun with proxying to AzureAD

Cantor, Scott cantor.2 at
Mon Jun 7 19:23:21 UTC 2021

On 6/7/21, 2:35 PM, "users on behalf of Tony Skalski via users" <users-bounces at on behalf of users at> wrote:

> I dealt with a similar situation with proxying to Google - whose IdP only returns
> "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified". See my email to the list from Feb 24 subject:
> "addDefaultPrincipals vs PrincipalProxyResponseMappings". I solved it by adjusting the
> PrincipalProxyResponseMappings in conf/authn/authn-comparison.xml - basically telling the IdP that
> urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified is as good as
> urn:oasis:names:tc:SAML:2.0:ac:classes:Password.

Well, what that feature does isn't exactly saying "these are as good as each other", rather it's a mapping across the proxy boundary indicating that on the federated side, it's A and on the proxy/Google side it's called B, but it's the same underlying meaning. It operates separately in either direction depending on the need, so it's also a one-way mapping in each case.

There is a separate feature that allows you to actually relate A and B together in general, but the proxy feature is a barrier that insulates this such that it's not necessary to actually tell the IdP to do that.

-- Scott

More information about the users mailing list