MDDriven overrides for defaultAuthenticationMethods
cantor.2 at osu.edu
Thu Nov 25 00:14:32 UTC 2021
On 11/24/21, 6:23 PM, "users on behalf of Andrew Jason Morgan" <users-bounces at shibboleth.net on behalf of morgan at oregonstate.edu> wrote:
> What happens if I don't set defaultAuthenticationMethods in the DefaultRelyingParty? I have
> idp.authn.flows=MFA, and I have defined the supportedPrincipals for authn/MFA. Do I need to "turn off"
> other flows at all? I wonder if my defaultAuthenticationMethods setting is just vestigial at this point....
They're for different purposes. The supportedPrincipals property of a login method determines what that method supports so that if something is requested, it knows whether it should try that flow. It generally also auto-populates the result of the flow with those classes.
The defaultAuthenticationMethods property is an IdP-side imposition of a requirement that takes the place of an SP requesting something and is basically in SAML terms the same as if the SP requested an exact match of one of those classes.
Setting anything on the DefaultRelyingParty beans applies if there's no override that directs it to use a different configuration. An override could take effect, and if metadata is involved, the metadata would apply, but only if the override did. Otherwise the default would apply and the explicit setting there would win.
Combining things gets tricky, but is deterministic.
More information about the users