Using a different SP entity ID with the IdP SAML authn flow
kwessel at illinois.edu
Mon Sep 20 20:00:48 UTC 2021
Thanks for the pointer, Scott. I should be able to navigate the profile request context tree to verify that the attribute was set.
What is the second parameter to this function, the collection of principals, for? Or am I reading the documentation on the web page wrong? I'm looking at the table here:
And the one thing that's unclear to me is what should this function return? Or can it just operate on the input PRC and return nothing?
I'm still hoping we can get ADFS to signal MFA using one of the other ACR vlues it supports instead of a claim so we can just use the pre-defined mappings to map that to the Refeds MFA context. It would be cleaner and simpler. But I'm going down this road as I don’t' expect that will pan out.
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Monday, September 20, 2021 2:03 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Using a different SP entity ID with the IdP SAML authn flow
On 9/20/21, 2:57 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> Now if I can just figure out how to take an attribute coming back from ADFS that contains the satisfied
> authentication context class ref and turn it back into an ACR in the response, I'll be all set. 😊 You'll hear back
> from me if I get stuck.
There's no great fix for that because it's flat broken, but 4.1 adds a function hook for it on the profile config called authnContextTranslationStrategyEx with type Function<ProfileRequestContext,Collection<Principal>>
(authnContextTranslationStrategy is the original hook that only has access to the incoming SAML AuthnContext and not the whole tree)
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!oq6FspZv0uMKnR4Ntwdf9w6AW_LF9mIw7sRflaq3VBIsc-NQO39kmctABOeUpprt0w$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users