I'm working on our code integrating the IdP with our VirtualHome implementation.
I'm hooking into the RemoteUser flow (which I understand is a special instance of ExternalAuthentication) and I'm handling this in my own servlet replacing RemoteUserAuthServlet.
I'm using the inputs and outputs as documented at https://wiki.shibboleth.net/confluence/display/IDP30/ExternalAuthnConfiguration
All is working well, but when I also tried setting authnInstant (as an attribute on the httpRequest object), this is ignored.
The SAML message then has a different instant, about 0.5s later.
Looking into the code ExternalAuthenticationImpl stores the instant in ExternalAuthenticationContext, but there is nothing that would take it out of there and stored in the AuthenticationResult. I can see the AuthenticationResult is built in AbstractValidationAction.buildAuthenticationResult(), but nothing would set the authnenticationInstant on the result object here.
The AuthenticationResult constructor then picks a new instant with:
- which I understand is what then gets used by AddAuthnStatementToAssertion.
This may sound as nit-picking, but I thought I should bring it up having it discovered - looks like the authnInstant output documented on the ExternalAuthnConfiguration page is ignored by the code finalizing the authentication flow.