Using a different SP entity ID with the IdP SAML authn flow

Cantor, Scott cantor.2 at
Thu Sep 2 19:25:16 UTC 2021

On 9/2/21, 3:04 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    Thanks, Scott. So, to make this dynamic and use a different SP entity ID based on, for example,
> authnContextClassRef of the original incoming request, I can create a bean and set the
> relyingPartyLookupStrategy on the specific relying party override bean to point to that bean. Is that correct?

I think you mean responderIdLookupStrategy (and if not, that's the correct setting), but yes.

>    I assume my custom bean just returns a string with the entity ID that Shibboleth should identify itself as. Any
> pointers to other beans in the IdP configuration that would be a good example for me to base mine off of?

Nothing that would be relevant to looking at the AuthnRequest I can think of, and this is much more tricky, you're talking about this running when it's in the middle of proxying, so the tree is very messy at that point. Your function runs against a ProfileRequestContext that's sitting underneath the AuthenticationContext, it's nested. You probably want to base it on the cooked data, not the AuthnRequest.

input.getParent().getSubcontext(RequestedPrincipalContext.class) in that lookup strategy call should actually go up and then back down to where the requested context class(es) have been pulled out and stuffed into the tree during authentication.

All of that could also be wrong, this is just a back of the envelope guess.

-- Scott

More information about the users mailing list