Using a different SP entity ID with the IdP SAML authn flow

Wessel, Keith kwessel at
Wed Sep 15 16:45:27 UTC 2021

Makes sense. So, what I have will work, but it's a minimal implementation, and it would cause anything other than the Refeds MFA context to be passed through with the default SP entity ID. I could just let ADFS deal with those, of course, or I could try and do more with this.

I'll try and get my head around whether I can support the other operators, but that might be overkill for this specific use case.

If I did want to put if statements in for the specific authn contexts I want to support and have any other non-null values result in an error, what method would I call to set the error? Is there a setError or similar method on the inupt object that I can invoke? Obviously, I'd need to wire up that error elsewhere in the IdP or use one of the existing error condition events.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Wednesday, September 15, 2021 11:30 AM
To: Shib Users <users at>
Subject: Re: Using a different SP entity ID with the IdP SAML authn flow

On 9/15/21, 12:24 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    Is it necessary to use getOperator instead of just iterating over 
> the list of requested principals and calling
> getName() on each which, to me, looks like it just returns a string on 
> which I can use a standard equal operator?

Your algorithm is presuming the request is asking for "any one of these". That's exact. I'm simply noting SAML doesn't limit the standard that, and the IdP doesn't just fail if other operators are used. At least detecting something else you don't want to support and treating that as an error for your purposes is the defensive approach.

Whether you can actually intelligently process better, maximum, or minimum to some degree is a different matter.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!rUBVBst09pSi1lkZ_umYfjJQquqxqOSyikDuZHBxRluUS2HlbssylPTZul0WyXDd7w$
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list