Giving an SP the authnContextClassRef they asked for

Wessel, Keith kwessel at
Thu Jan 13 20:34:52 UTC 2022

Downside here is unfortunate side-effects for our users who aren't yet required to do MFA.

If I map PPT to MFA, then any SP that explicitly requests PPT (which they shouldn't be doing, anyway) will end up requiring MFA. If a user isn't required to do MFA, they might not be able to log in to that service. But frankly, that would be a good indication that an SP is requesting PPT unnecessarily in which case we can yell at them.

If I map PPT to nothing, telling the IdP to ignore it, then this particular SP that's sending the request will require the MFA-always populatin to do MFA. But it will let others who aren't MFA-required to do MFA, letting those folks in with just password.

Since this is hopefully a temporary work-around, I think the first option might be most desirable.

If I really wanted to go through the trouble for just this SP, I could manually translate the PPT request into MFA with an authnContextTranslationStrategy bean, correct? Not that I think it's worth the effort. Just asking.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Thursday, January 13, 2022 2:24 PM
To: Shib Users <users at>
Subject: Re: Giving an SP the authnContextClassRef they asked for

>    Is there a downside to listing PPT as an ignored context? Does that just impact incoming AuthnRequests?

Amounts to the same thing but without a conscious decision to map it to something else in the proxying case. I did suggest that initially.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!pOJtYyJuszauoQbJ_BhaDIDB6MeHbUuWGC-bEj77f9E7MODOKdE5Md6hJZ8ZWsjWXg$ 
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list