Warn when defaultAuthenticationMethods used without disallowedFeatures
Basics
Logistics
Basics
Logistics
Description
It’s very common that people don’t realize that you can’t apply an IdP-side rule about AuthnContext requirements in a profile override without also applying the disallowedFeatures property to block an SP from making a request that just overrides the rule, and those SPs by definition can’t require the context themselves or the IdP rule wouldn’t be needed.
We might be able to warn about that somehow, not sure exactly how or if it’s possible.
Environment
None
Activity
Scott Cantor February 18, 2025 at 8:45 PM
Triggering off option controlling whether to override the SP’s requested contexts or not, now logs at info or warn (the latter to note it can’t override the SP’s criteria and that’s probably a bug).
It’s very common that people don’t realize that you can’t apply an IdP-side rule about AuthnContext requirements in a profile override without also applying the disallowedFeatures property to block an SP from making a request that just overrides the rule, and those SPs by definition can’t require the context themselves or the IdP rule wouldn’t be needed.
We might be able to warn about that somehow, not sure exactly how or if it’s possible.