Giving an SP the authnContextClassRef they asked for

Cantor, Scott cantor.2 at
Thu Jan 13 20:55:27 UTC 2022

On 1/13/22, 3:35 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    If I map PPT to MFA, then any SP that explicitly requests PPT (which they shouldn't be doing, anyway) will
> end up requiring MFA. If a user isn't required to do MFA, they might not be able to log in to that service. But
> frankly, that would be a good indication that an SP is requesting PPT unnecessarily in which case we can yell at
> them.

That's kind of my point, it flushes out bugs but without doing all that much harm.

>    If I really wanted to go through the trouble for just this SP, I could manually translate the PPT request into
> MFA with an authnContextTranslationStrategy bean, correct? Not that I think it's worth the effort. Just asking.

No, that's the reverse direction. We're talking about mapping requested values, that's a different hook as I posted earlier.

-- Scott

More information about the users mailing list