X509Internal module and urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport AuthnContextClassRef

Cantor, Scott cantor.2 at osu.edu
Thu Jun 2 16:30:37 UTC 2022

On 6/2/22, 12:21 PM, "users on behalf of Cantor, Scott via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

>    >    About the supported principals by the mfa flow, it's the same with this configuration :
>    That's what's supported, that's not what's added to the result unless you change the defaults to tell it to
> auto-add them, which is not normally the right thing to do.

Specifically, the supportedPrincipals settings tell the system how to deal with requests that stipulate one of those values. When there's nothing requested, they *only* matter when the corresponding addDefaultPrincipals property for the flow is enabled, which it is not for MFA by default.

For Password and X509, you typically just leave it, and it adds in whatever the supportedPrincipals are into the Subject as a default behavior that's generally correct. Password adds its values and X509 would add its values.

An MFA flow that only runs X509 and doesn't auto-add should be building a subject that only contains the supportedPrincipals of the X509 flow.

Since that's not what it's doing, something has been incorrectly changed to conflict with that outcome, or you're running the Password flow in every case and it's including a result from that in the final merge.

-- Scott

More information about the users mailing list