...
The
idproperty of each descriptor is not arbitrary. It MUST be prefixed by "authn/" and it corresponds to a web flow definition. The predefined beans correspond to built-in flows. Creating a new flow involves not only describing the flow in this list, but ensuring theidmatches a flow definition created inside flows/authn/. Specifically, creating the custom login flow "authn/foo" requires that the flow definition file be named flows/authn/foo/foo-flow.xml.
Note that while it is possible to associate an Authentication Flow with many different supportedPrincipals, the results can be confusing if the Principle types supported by a single Authentication Flow are not, essentially, equivalent. In many cases, it may be more effective to configure multiple flows with copies of the same bean when their supportedPrincipals differ in ways other than the authentication method, for example when they require different values from the idp.authn.resolveAttribute, as described above.
allowedContexts
The MCB can be configured to specify which Contexts are allowed to satisfy the requirements of other contexts. For example, assuming that the InCommon Bronze assurance profile satisfies the requirements of Password, and InCommon Silver satisfies all requirements of InCommon Bronze.
...