Giving an SP the authnContextClassRef they asked for

Cantor, Scott cantor.2 at
Thu Jan 13 17:39:46 UTC 2022

On 1/13/22, 12:32 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    If I map PPT to MFA in the shibboleth. PrincipalProxyRequestMappings, though, then that will be global. How
> would I do it for one specific relying party? After all, it won't be the usual case where an SP is explicitly
> requesting password but I want to force MFA.

Are you sure? What use case do you have to let an SP request bad authentication? Do you really imagine that such an SP even understands what it's asking?

I have never run into a single case of it. That is always just a bug.

An SP that really doesn't care what happens doesn't need to request anything.

-- Scott

More information about the users mailing list