Giving an SP the authnContextClassRef they asked for

Wessel, Keith kwessel at
Thu Jan 13 17:32:30 UTC 2022

If I map PPT to MFA in the shibboleth. PrincipalProxyRequestMappings, though, then that will be global. How would I do it for one specific relying party? After all, it won't be the usual case where an SP is explicitly requesting password but I want to force MFA.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Thursday, January 13, 2022 11:18 AM
To: Shib Users <users at>
Subject: Re: Giving an SP the authnContextClassRef they asked for

On 1/13/22, 11:23 AM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    Can I do something to remove the requested acr from the request? I 
> was hoping to avoid writing another bean with a translation strategy 
> for this rather disgusting edge case. Is that going to be the easiest way to do this?

Yes, that's the only intended way to do this, but it's just done with a map, you don't need a whole new class, that's the bean called shibboleth.PrincipalProxyRequestMappings.

The default with an empty map is that it sends nothing if there's no requested value and echoes through anything else. Each value is fed into the map to translate it. An empty collection as a value for something being fed in should result in nothing being passed along.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!pMMRpHkLyV-GU_j_hpb__f27SUso-lP_xd_DrVoYA_xaphy93ATz0X3jmwp4ojbN9w$
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list