Using a different SP entity ID with the IdP SAML authn flow

Wessel, Keith kwessel at
Mon Sep 20 18:57:33 UTC 2021

That did it. Thank you. I just needed to replace my call to getSubcontext with a call to getParent. I didn't realize the authentication context was the parent.

Now if I can just figure out how to take an attribute coming back from ADFS that contains the satisfied authentication context class ref and turn it back into an ACR in the response, I'll be all set. 😊 You'll hear back from me if I get stuck.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Monday, September 20, 2021 11:11 AM
To: Shib Users <users at>
Subject: Re: Using a different SP entity ID with the IdP SAML authn flow

Many times when this runs, it will not find any of those contexts. On top of that, when it runs inside the SAML proxying flow, it's going to be a much more complex tree, and the input PRC is a nested one that's going to be literally below the AuthenticationContext as a child.

Try checking if the input PRC has a parent. If not, return the default. If it does, walk up via getParent, and that should be the AuthenticationContext to operate from.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!qdiqyub7jni46PhS_vpnjCtPM1Uo7U_HL2r_MpHodFlAAwONvr-roL-qf5-FXTuLvQ$ 
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list