Giving an SP the authnContextClassRef they asked for
Cantor, Scott
cantor.2 at osu.edu
Wed Jan 12 21:09:09 UTC 2022
On 1/12/22, 3:47 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> Or do I need to create an authnContextTranslationStrategy bean that manually maps it back to
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport?
That, or change the shibboleth.IgnoredContexts bean to treat PasswordProtectedContext as ignored. That's a standards violation but that is a hook to do it. But it's global, you can't pick and choose. I have never run into an SP that wasn't Shibboleth that even knew how to check the value but that doesn't mean one doesn't exist.
Note that there's no reason why you shouldn't simply include PPT in your result. It doesn't hurt anything to do that as long as it's accurate, which I'm sure it is. The IdP will automatically use whatever is correct when it responds, it just needs to know that PPT is one of the contexts in the resulting Subject's Principal set.
-- Scott
More information about the users
mailing list