Any recommendations/validation of a scheme to select a SAML Proxy or Password/MFA authentication flow based on relying party / SP entityID?

Mak, David d.mak at
Fri Jan 14 15:56:17 UTC 2022

I've configured SAML Proxy in both IDP 4.0.1 and 4.1.4 in our dev environments, in preparation for some architectural changes within our authentication architecture.

We have a need to select an authentication flow based on the entityID of the service provider's/relying parties' SAML request. It will default to SAML Proxy unless the SP/RP is in a smaller list, in which case we want to use the default MFA authN flow we have which uses the Password and Duo MFA methods.

As I see it, I will need to create a custom authN flow that checks the entityID for a match to that list, then continue with either the SAML Proxy or the MFA flows as needed.

I need to read up on the Spring web flow stuff more, but on first glance, I'm having trouble determining if this is possible with the design I described. It seems the only end-state is a "proceed" and I can't quite see how a custom authN flow can initiate either a SAML Proxy flow or a MFA authN flow.

Any advice would be appreciated. Thanks in advance!

David Mak (Pronouns: He/Him/His)
Identity Services Specialist
Information Technology Services
Northeastern University
360 Huntington Ave. Boston MA 02115-5000
Mail Stop: 302-216
O:617-373-7836 M:617-840-7543
d.mak at<mailto:%20d.mak at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list