MDDriven overrides for defaultAuthenticationMethods

Andrew Jason Morgan morgan at
Wed Nov 24 20:47:30 UTC 2021

We started using metadata-driven configuration for new SSO setups a while ago, but we still have some relying-party.xml overrides in place for SPs that we haven't migrated to metadata-driven configuration yet.  I setup a new SP recently (metadata-driven config) that requires MFA, but my testing shows that the MFA requirement is not being enforced.  As I played around with the configuration, I learned that the metadata config is not overriding the DefaultRelyingParty configuration for defaultAuthenticationMethods in relying-party.xml.  Here is the snippet from relying-party.xml:

                <bean parent="SAML2.SSO.MDDriven" p:postAuthenticationFlows="#{{'duoman-warn', 'context-check'}}">
                        <property name="defaultAuthenticationMethods">
                                        <ref bean="MFASAML2Principal" />
                                        <ref bean="PasswordPrincipal" />

where those methods are:

    <!-- MFA authenticationContextClass setup -->
    <bean id="MFASAML2Principal" parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="" />

    <!-- PasswordProtectedTransport authenticationContextClass setup -->
    <bean id="PasswordPrincipal" parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />

The SP metadata contains the exact text from the wiki to set defaultAuthenticationMethods:

      <saml:Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <!-- The disallowedFeatures setting is a bitmask, and 0x1 blocks SPs requesting authentication types. -->
      <saml:Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

If I comment out the defaultAuthenticationMethods from the DefaultRelyingParty config, MFA is enforced correctly.

Is this the expected behavior?

Maybe I don't need to set defaultAuthenticationMethods in the DefaultRelyingParty anyway...

​Andy Morgan, Identity & Access Management, IT Operations and Identity
Oregon State University | University Information and Technology | 541-737-8877
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list