Giving an SP the authnContextClassRef they asked for

Cantor, Scott cantor.2 at
Thu Jan 13 21:19:16 UTC 2022

On 1/13/22, 4:06 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    Before, you mentioned shibboleth.principalProxyRequestMappings map which applies globally. I'm still not
> clear if there's something I could apply to a specific relying party. Can that map be overridden for a specific
> RP? Sorry if you said this and I'm missing it.

What I posted earilier is the bean that is defaulted into the SAML2.SSO bean to determine the defaultAuthenticationMethods setting that everybody inherits from.

That class does nothing for non-proxied uses. It only produces something when proxying happens, and the defaultAuthenticationMethods setting is what gets queried when proxying to determine the outbound RequestedAuthnContext element.

If you define a copy of that to inject into a specific relying party child of the SAML2.SSO profile bean that injects a different map bean into that strategy property, that's a custom mapping that just shares the same Java implementation to perform the mapping logic but would use a different map.

So yes, you can do it, it just isn't talked about or documented particularly and I never thought about it. The class itself is in the API, I checked, so it's not going to break without some kind of warning.

-- Scott

More information about the users mailing list