Order of events after a proxied authentication

Wessel, Keith kwessel at illinois.edu
Fri Aug 26 18:19:12 UTC 2022

Thanks, Scott. That helps a lot.

As soon as the beginning o the semester craziness is over, I plan to get us upgraded and take advantage of the bug fixes and enhancements you made to that translation strategy and the other various proxying improvements.


-----Original Message-----
From: Cantor, Scott <cantor.2 at osu.edu> 
Sent: Friday, August 26, 2022 12:31 PM
To: Shib Users <users at shibboleth.net>
Cc: Wessel, Keith <kwessel at illinois.edu>
Subject: Re: Order of events after a proxied authentication

>    Does the principalProxyResponseMappings run first, then my
> translationstrategy? 

No. That map and the function that applies it is a "default" implementation of the original authnContextTranslationStrategy hook.

The one you had me add (the Ex one) runs first and if it adds Principals to the Subject, then the original hook doesn't run.

The order is:

1. Run Ex hook
2. If nothing added, run original hook
3. If nothing added, copy from the Response as a final option

See net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication, in the populateSubject method.

> And is the principal checked against the list of allowed
> principals for the MFA flow at the end of that flow, and after all of these
> mappings happen?

No. The suppotedPrincipals setting has to do with the system deciding whether to run flows, and it only comes into play otherwise when those "auto-add supported Principals" flags are set, which would not be the case here.

-- Scott

More information about the users mailing list