Using a different SP entity ID with the IdP SAML authn flow

Wessel, Keith kwessel at
Mon Sep 20 20:00:48 UTC 2021

Thanks for the pointer, Scott. I should be able to navigate the profile request context tree to verify that the attribute was set.

What is the second parameter to this function, the collection of principals, for? Or am I reading the documentation on the web page wrong? I'm looking at the table here:

And the one thing that's unclear to me is what should this function return? Or can it just operate on the input PRC and return nothing?

I'm still hoping we can get ADFS to signal MFA using one of the other ACR vlues it supports instead of a claim so we can just use the pre-defined mappings to map that to the Refeds MFA context. It would be cleaner and simpler. But I'm going down this road as I don’t' expect that will pan out.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Monday, September 20, 2021 2:03 PM
To: Shib Users <users at>
Subject: Re: Using a different SP entity ID with the IdP SAML authn flow

On 9/20/21, 2:57 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    Now if I can just figure out how to take an attribute coming back from ADFS that contains the satisfied
> authentication context class ref and turn it back into an ACR in the response, I'll be all set. 😊 You'll hear back
> from me if I get stuck.

There's no great fix for that because it's flat broken, but 4.1 adds a function hook for it on the profile config called authnContextTranslationStrategyEx with type Function<ProfileRequestContext,Collection<Principal>>

(authnContextTranslationStrategy is the original hook that only has access to the incoming SAML AuthnContext and not the whole tree)

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!oq6FspZv0uMKnR4Ntwdf9w6AW_LF9mIw7sRflaq3VBIsc-NQO39kmctABOeUpprt0w$ 
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list