Giving an SP the authnContextClassRef they asked for

[Wessel, Keith]

If I map PPT to MFA in the shibboleth. PrincipalProxyRequestMappings, though, then that will be global. How would I do it for one specific relying party? After all, it won't be the usual case where an SP is explicitly requesting password but I want to force MFA.

Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Thursday, January 13, 2022 11:18 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Giving an SP the authnContextClassRef they asked for

On 1/13/22, 11:23 AM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

>    Can I do something to remove the requested acr from the request? I 
> was hoping to avoid writing another bean with a translation strategy 
> for this rather disgusting edge case. Is that going to be the easiest way to do this?

Yes, that's the only intended way to do this, but it's just done with a map, you don't need a whole new class, that's the bean called shibboleth.PrincipalProxyRequestMappings.

The default with an empty map is that it sends nothing if there's no requested value and echoes through anything else. Each value is fed into the map to translate it. An empty collection as a value for something being fed in should result in nothing being passed along.

-- Scott


--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!pMMRpHkLyV-GU_j_hpb__f27SUso-lP_xd_DrVoYA_xaphy93ATz0X3jmwp4ojbN9w$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net