authnContextTranslationStrategyEx: passing through the authenticationContextClassRef unmodified?

[Wessel, Keith]

Thanks for this info; this helps.

Regarding the comment on the fix. When you say cascades, you mean if the function returns nothing, it falls back on whatever came from the upstream IdP instead of responding with unspecified? If so, yes, I agree that that would make a lot of sense. If one really wanted to return unspecified, which we all know is a very bad idea, then they could explicitly do that in the function.

Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Tuesday, October 12, 2021 7:41 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: authnContextTranslationStrategyEx: passing through the authenticationContextClassRef unmodified?

On 10/12/21, 8:26 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

> Is there an easy way to get the current response from the upstream IdP 
> and, specifically, the acr values from it to use as a default return 
> from my function? I'm not seeing anything obvious in the context tree that would provide that information.

Nothing trivial. From the "right" PRC, you go up to AuthenticationContext and down to SAMLAuthnContext, and the authentication statement it processed is in there. From the broken input now, you go down to the AuthnenticationContext and then down to the SAMLAuthnContext.

I think it makes sense to fix the code so it cascades and tries the options in order until it gets a non-null result, to avoid having to do it manually.

-- Scott


--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!rvm-R7-6yVyvUsmKRMSPZSxwkYjK1aT1tbnnjNbOlXVtPB6oD2ZqvxCRosPesfRTvw$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net