Order of events after a proxied authentication

Cantor, Scott cantor.2 at osu.edu
Fri Aug 26 17:31:26 UTC 2022

>    Does the principalProxyResponseMappings run first, then my
> translationstrategy? 

No. That map and the function that applies it is a "default" implementation of the original authnContextTranslationStrategy hook.

The one you had me add (the Ex one) runs first and if it adds Principals to the Subject, then the original hook doesn't run.

The order is:

1. Run Ex hook
2. If nothing added, run original hook
3. If nothing added, copy from the Response as a final option

See net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication, in the populateSubject method.

> And is the principal checked against the list of allowed
> principals for the MFA flow at the end of that flow, and after all of these
> mappings happen?

No. The suppotedPrincipals setting has to do with the system deciding whether to run flows, and it only comes into play otherwise when those "auto-add supported Principals" flags are set, which would not be the case here.

-- Scott

More information about the users mailing list