MDDriven overrides for defaultAuthenticationMethods

Cantor, Scott cantor.2 at
Thu Nov 25 00:14:32 UTC 2021

On 11/24/21, 6:23 PM, "users on behalf of Andrew Jason Morgan" <users-bounces at on behalf of morgan at> wrote:

>    What happens if I don't set defaultAuthenticationMethods in the DefaultRelyingParty?  I have
> idp.authn.flows=MFA, and I have defined the supportedPrincipals for authn/MFA.  Do I need to "turn off"
> other flows at all?  I wonder if my defaultAuthenticationMethods setting is just vestigial at this point....

They're for different purposes. The supportedPrincipals property of a login method determines what that method supports so that if something is requested, it knows whether it should try that flow. It generally also auto-populates the result of the flow with those classes.

The defaultAuthenticationMethods property is an IdP-side imposition of a requirement that takes the place of an SP requesting something and is basically in SAML terms the same as if the SP requested an exact match of one of those classes.

Setting anything on the DefaultRelyingParty beans applies if there's no override that directs it to use a different configuration. An override could take effect, and if metadata is involved, the metadata would apply, but only if the override did. Otherwise the default would apply and the explicit setting there would win.

Combining things gets tricky, but is deterministic.

-- Scott

More information about the users mailing list