Using a different SP entity ID with the IdP SAML authn flow

Wessel, Keith kwessel at
Mon Sep 20 15:54:27 UTC 2021

But I am coding defensively. That's how I'm catching the null value.

This code always falls through to my last else block and reports authentication context is null. I'm invoking it as the responder ID lookup strategy for the IdP that I'm proxying to:

        <bean parent="RelyingPartyByName" c:relyingPartyIds="%{idp.saml-proxy.entityID}"
            <property name="profileConfigurations">
                    <ref bean="SAML2.SSO"/>

Here's my code in case you have suggestions to make it more defensive. But it's definitely running and falling through to that last else. If I can't get the authentication context, I obviously can't dig deeper to get the requested principals.

                var spEntityID = "%{idp.entityID}";
                var logger = Java.type("org.slf4j.LoggerFactory").getLogger("proxy_sp_entity_id");
                var authnCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");

                if (authnCtx != null) {
                    var reqprCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.RequestedPrincipalContext");

                    if (reqprCtx != null) {
                        var requestedPrincipals = reqprCtx.getRequestedPrincipals();

                            function(principal) {
                                if (principal instanceof Java.type("net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal")) {
                                    var name = principal.getName();
                                    logger.debug("considering principal " + name);

                                    if (name.equals(";!!DZ3fjg!vW22RRzj23r9dxYPR_WUJw5hXr6Apiemt8KpwPnkfd4LHqJBgGS05eG9woC7XaI$ ")) {
                                        logger.debug("SP requested MFA");
                                        spEntityID = "%{idp.entityID}:mfa";
                                    else if (name.equals("urn:oasis:names:tc:SAML:2.0:ac:classes:Password")) {
                                        logger.debug("SP requested password only");
                                        spEntityID = "%{idp.entityID}:password";
                    } else {
                        logger.debug("No requested principals, using default");
                } else {
                    logger.error("AuthenticationContext is null");

                logger.debug("Using entity ID " + spEntityID);
-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Friday, September 17, 2021 7:31 PM
To: Shib Users <users at>
Subject: Re: Using a different SP entity ID with the IdP SAML authn flow

On 9/17/21, 5:01 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    The ProfileRequestContext (input in my bean) doesn't seem to contain the authentication context.

It's there once it's added, and it's not until it is. You're not coding defensively so that the function runs safely at all times.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!uSW2hTiia7QnHeGTdimweYJrokmSwyXObF120IQuEUOeTFvisfzMkluvZaWZ7h9FKQ$ 
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list