Adding a post authentication flow to an SP using metadata-driven configuration

Wessel, Keith kwessel at
Tue Oct 12 01:31:13 UTC 2021

Hi, Scott,

Yes, I'm just enabling metadata driven for the default profile. Turns out the problem is I was trying to set default post-authentication flows in the relying party defaults bean of relying-party.xml but trying to override them with a metadata driven configuration. I had this in shibboleth.DefaultRelyinParty:

                <bean parent="SAML2.SSO.MDDriven" p:postAuthenticationFlows="#{ {'terms-of-use', 'attribute-release'} }" />

That was fine until I tried to override that with new post-authentication flows using metadata driven config settings. I wanted to replace those two flows for a set of SPs with warning and context-check, as I said earlier. If I change the entry in the default relying party config to just:

                <ref bean="SAML2.SSO.MDDriven"/>

Then my metadata driven post-authentication flows work. But if I try to set defaults in relying-party.xml and override them with metadata-driven settings, the metadata-driven settings for the post-authentication flows are ignored.

Is this intentional? Or should I be able to set a default and override it with metadata-driven settings? I can always set my default using metadata-driven settings, too, if need be.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Monday, October 11, 2021 5:52 PM
To: Shib Users <users at>
Subject: Re: Adding a post authentication flow to an SP using metadata-driven configuration

On 10/11/21, 6:29 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    What am I overlooking?

Depends how you're trying to enable the whole feature in the first place but it looks correct provided you're enabling it globally with the SAML2.SSO.MDDriven, etc. beans. If you're trying to make the metadata support more fine grained to limit the impact that's much easier to get wrong.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!qGTwclKhSv7h_YZZTLP9ECGHuTKEJBr0lNmVbi2qDhjNn9ItILQq1roAXQz1L5eO9A$ 
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list