Using a different SP entity ID with the IdP SAML authn flow

Cantor, Scott cantor.2 at
Fri Sep 3 12:05:15 UTC 2021

On 9/2/21, 3:57 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    So, something like this?

The RequestedPrincipalContext is not a context class in the SAML sense, it's one in the IdP sense. It's a Java object containing the extracted details from the AuthnRequest in neutral form. The javadocs on it will demonstrate how to use it to examine the contents once you have a handle on it.

>    Does that look sane? If it doesn't work, I'll certainly study the docs for some of the objects I'm using to get
> the requested authnContextClassRef since, as you stated, that's a rough guess.

You need the docs.

Basically assuming getOperator() is "exact", the getRequestedPrincipals() method will return the AuthnContextClassRefPrincipal objects that got build from the SP's request that you can search through for a match, which in turn will return the context class string via getName()

All the abstraction and extra layers is needed to get portability, it's not a SAML feature internally, just an abstracted equivalent based on it. So it works similarly for OIDC and CAS.

-- Scott

More information about the users mailing list