Fun with proxying to AzureAD
Cantor, Scott
cantor.2 at osu.edu
Mon Jun 7 19:23:21 UTC 2021
On 6/7/21, 2:35 PM, "users on behalf of Tony Skalski via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
> I dealt with a similar situation with proxying to Google - whose IdP only returns
> "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified". See my email to the list from Feb 24 subject:
> "addDefaultPrincipals vs PrincipalProxyResponseMappings". I solved it by adjusting the
> PrincipalProxyResponseMappings in conf/authn/authn-comparison.xml - basically telling the IdP that
> urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified is as good as
> urn:oasis:names:tc:SAML:2.0:ac:classes:Password.
Well, what that feature does isn't exactly saying "these are as good as each other", rather it's a mapping across the proxy boundary indicating that on the federated side, it's A and on the proxy/Google side it's called B, but it's the same underlying meaning. It operates separately in either direction depending on the need, so it's also a one-way mapping in each case.
There is a separate feature that allows you to actually relate A and B together in general, but the proxy feature is a barrier that insulates this such that it's not necessary to actually tell the IdP to do that.
-- Scott
More information about the users
mailing list