MDDriven overrides for defaultAuthenticationMethods

Andrew Jason Morgan morgan at
Thu Nov 25 01:26:07 UTC 2021

It seems​ like I should be able to remove my defaultAuthenticationMethods setting from the DefaultRelyingParty.  Our authn/MFA flow has:

            <property name="supportedPrincipals">
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="" />
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />

and defaultAuthenticationMethods allows "" and "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport".

What happens if an SP requests an accRef that is not in the authn/MFA supportedPrincipals list?  We have idp.authn.flows=MFA, and it uses the authn/Password and authn/Duo flows internally.


From: users <users-bounces at> on behalf of Cantor, Scott <cantor.2 at>
Sent: Wednesday, November 24, 2021 4:14 PM
To: Shib Users <users at>
Subject: Re: MDDriven overrides for defaultAuthenticationMethods

[This email originated from outside of OSU. Use caution with links and attachments.]

On 11/24/21, 6:23 PM, "users on behalf of Andrew Jason Morgan" <users-bounces at on behalf of morgan at> wrote:

>    What happens if I don't set defaultAuthenticationMethods in the DefaultRelyingParty?  I have
> idp.authn.flows=MFA, and I have defined the supportedPrincipals for authn/MFA.  Do I need to "turn off"
> other flows at all?  I wonder if my defaultAuthenticationMethods setting is just vestigial at this point....

They're for different purposes. The supportedPrincipals property of a login method determines what that method supports so that if something is requested, it knows whether it should try that flow. It generally also auto-populates the result of the flow with those classes.

The defaultAuthenticationMethods property is an IdP-side imposition of a requirement that takes the place of an SP requesting something and is basically in SAML terms the same as if the SP requested an exact match of one of those classes.

Setting anything on the DefaultRelyingParty beans applies if there's no override that directs it to use a different configuration. An override could take effect, and if metadata is involved, the metadata would apply, but only if the override did. Otherwise the default would apply and the explicit setting there would win.

Combining things gets tricky, but is deterministic.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list