Giving an SP the authnContextClassRef they asked for

Wessel, Keith kwessel at
Thu Jan 13 21:06:12 UTC 2022

Got 'ya; translations are for the response, not the request.

Before, you mentioned shibboleth.principalProxyRequestMappings map which applies globally. I'm still not clear if there's something I could apply to a specific relying party. Can that map be overridden for a specific RP? Sorry if you said this and I'm missing it.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Thursday, January 13, 2022 2:55 PM
To: Shib Users <users at>
Subject: Re: Giving an SP the authnContextClassRef they asked for

On 1/13/22, 3:35 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    If I map PPT to MFA, then any SP that explicitly requests PPT 
> (which they shouldn't be doing, anyway) will end up requiring MFA. If 
> a user isn't required to do MFA, they might not be able to log in to 
> that service. But frankly, that would be a good indication that an SP is requesting PPT unnecessarily in which case we can yell at them.

That's kind of my point, it flushes out bugs but without doing all that much harm.

>    If I really wanted to go through the trouble for just this SP, I 
> could manually translate the PPT request into MFA with an authnContextTranslationStrategy bean, correct? Not that I think it's worth the effort. Just asking.

No, that's the reverse direction. We're talking about mapping requested values, that's a different hook as I posted earlier.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!sNLQL1ziNBUoDBBTjGHRrzHpgA-AQ8AGnyEml7wRpYf2n19TsNlNEIX0P7eb875jpw$
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list