Currently, if the isPassive-flag is set and control reaches the external authentication servlet it means that the core Shibboleth functions weren't able to issue an assertion based on a former authentication, and since our implementation will display an UI we should fail.
There may be implementation of the external authentication API that can issue an assertion without displaying an UI. For those implementation we should be able to configure whether to handle the IsPassive/ForceAuthn flags themselves.
martin-lindstrom
commented
6 years ago
Currently, if the isPassive-flag is set and control reaches the external authentication servlet it means that the core Shibboleth functions weren't able to issue an assertion based on a former authentication, and since our implementation will display an UI we should fail.
There may be implementation of the external authentication API that can issue an assertion without displaying an UI. For those implementation we should be able to configure whether to handle the IsPassive/ForceAuthn flags themselves.