Giving an SP the authnContextClassRef they asked for

[Wessel, Keith]

Got 'ya; translations are for the response, not the request.

Before, you mentioned shibboleth.principalProxyRequestMappings map which applies globally. I'm still not clear if there's something I could apply to a specific relying party. Can that map be overridden for a specific RP? Sorry if you said this and I'm missing it.

Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Thursday, January 13, 2022 2:55 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Giving an SP the authnContextClassRef they asked for

On 1/13/22, 3:35 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

>    If I map PPT to MFA, then any SP that explicitly requests PPT 
> (which they shouldn't be doing, anyway) will end up requiring MFA. If 
> a user isn't required to do MFA, they might not be able to log in to 
> that service. But frankly, that would be a good indication that an SP is requesting PPT unnecessarily in which case we can yell at them.

That's kind of my point, it flushes out bugs but without doing all that much harm.

>    If I really wanted to go through the trouble for just this SP, I 
> could manually translate the PPT request into MFA with an authnContextTranslationStrategy bean, correct? Not that I think it's worth the effort. Just asking.

No, that's the reverse direction. We're talking about mapping requested values, that's a different hook as I posted earlier.

-- Scott


--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!sNLQL1ziNBUoDBBTjGHRrzHpgA-AQ8AGnyEml7wRpYf2n19TsNlNEIX0P7eb875jpw$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net