X509Internal module and urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport AuthnContextClassRef
cantor.2 at osu.edu
Thu Jun 2 14:20:55 UTC 2022
On 6/2/22, 9:40 AM, "GALLIANO Nicolas" <nicolas.galliano at dsi.cnrs.fr> wrote:
> I still looking for how i can (involuntarily) tell our idp to send
> samlresponse with the PasswordProtectedTransport SAML2AuthnContextClassRef
> even in x509 authentication context ...
I really can't help you further here, per the footer, this is member support territory.
I'm simply telling you that a) the weight map works but b) you have configured the system as a whole such that the Subject the MFA flow is producing has the PPT Principal inside it.
From the description you gave, the only way that's possible is if the X509 flow was misconfigured with the PPT Principal as "supported" or if the MFA flow was changed to auto-add all its supported Principals into the final result, which is not the default behavior.
More information about the users