Using a different SP entity ID with the IdP SAML authn flow

[Cantor, Scott]

On 9/2/21, 3:57 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

>    So, something like this?

The RequestedPrincipalContext is not a context class in the SAML sense, it's one in the IdP sense. It's a Java object containing the extracted details from the AuthnRequest in neutral form. The javadocs on it will demonstrate how to use it to examine the contents once you have a handle on it.

>    Does that look sane? If it doesn't work, I'll certainly study the docs for some of the objects I'm using to get
> the requested authnContextClassRef since, as you stated, that's a rough guess.

You need the docs.

http://shibboleth.net/sites/release/java-identity-provider/4.1.4/apidocs/net/shibboleth/idp/authn/context/RequestedPrincipalContext.html

Basically assuming getOperator() is "exact", the getRequestedPrincipals() method will return the AuthnContextClassRefPrincipal objects that got build from the SP's request that you can search through for a match, which in turn will return the context class string via getName()

All the abstraction and extra layers is needed to get portability, it's not a SAML feature internally, just an abstracted equivalent based on it. So it works similarly for OIDC and CAS.

-- Scott