authnContextTranslationStrategyEx: passing through the authenticationContextClassRef unmodified?

Wessel, Keith kwessel at
Wed Oct 13 02:20:49 UTC 2021

Thanks for this info; this helps.

Regarding the comment on the fix. When you say cascades, you mean if the function returns nothing, it falls back on whatever came from the upstream IdP instead of responding with unspecified? If so, yes, I agree that that would make a lot of sense. If one really wanted to return unspecified, which we all know is a very bad idea, then they could explicitly do that in the function.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Tuesday, October 12, 2021 7:41 PM
To: Shib Users <users at>
Subject: Re: authnContextTranslationStrategyEx: passing through the authenticationContextClassRef unmodified?

On 10/12/21, 8:26 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> Is there an easy way to get the current response from the upstream IdP 
> and, specifically, the acr values from it to use as a default return 
> from my function? I'm not seeing anything obvious in the context tree that would provide that information.

Nothing trivial. From the "right" PRC, you go up to AuthenticationContext and down to SAMLAuthnContext, and the authentication statement it processed is in there. From the broken input now, you go down to the AuthnenticationContext and then down to the SAMLAuthnContext.

I think it makes sense to fix the code so it cascades and tries the options in order until it gets a non-null result, to avoid having to do it manually.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!rvm-R7-6yVyvUsmKRMSPZSxwkYjK1aT1tbnnjNbOlXVtPB6oD2ZqvxCRosPesfRTvw$
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list