Giving an SP the authnContextClassRef they asked for

Cantor, Scott cantor.2 at
Wed Jan 12 21:09:09 UTC 2022

On 1/12/22, 3:47 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    Or do I need to create an authnContextTranslationStrategy bean that manually maps it back to
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport?

That, or change the shibboleth.IgnoredContexts bean to treat PasswordProtectedContext as ignored. That's a standards violation but that is a hook to do it. But it's global, you can't pick and choose. I have never run into an SP that wasn't Shibboleth that even knew how to check the value but that doesn't mean one doesn't exist.

Note that there's no reason why you shouldn't simply include PPT in your result. It doesn't hurt anything to do that as long as it's accurate, which I'm sure it is. The IdP will automatically use whatever is correct when it responds, it just needs to know that PPT is one of the contexts in the resulting Subject's Principal set.

-- Scott

More information about the users mailing list