Giving an SP the authnContextClassRef they asked for

Wessel, Keith kwessel at
Fri Jan 14 17:24:55 UTC 2022

I found an even easier solution: our Infoblox appliance is now sending users to an IdP-initiated URL. Unfortunately, the device still thinks it's sending an SP-initiated request, and it's including an authnRequest. Thankfully, the IdP is graciously ignoring that and only using the providerId parameter. So, it never sees the unwanted ACR in the request.

Thanks again, Scott and Mike, for the help on this.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Thursday, January 13, 2022 4:52 PM
To: Shib Users <users at>
Subject: Re: Giving an SP the authnContextClassRef they asked for

On 1/13/22, 5:31 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

>    You're referring to this from the SAML2.SSO default configuration?
>    Seems like I could just make a new map then override the defaultAuthenticationMethodsLookupStrategy for
> this specific RP using the same class but passing in my map as a parameter. Is that the idea?


-- Scott

For Consortium Member technical support, see;!!DZ3fjg!q85mzUe1_1jQPH6ST9LnSlxytpmbxSkBKaFcRHgAygB8KflcPV1ZpnreY_mnJWuexA$ 
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list