Skip to Content.
Sympa Menu

shibboleth-dev - Re: Strawman AuthnRequest profile

Subject: Shibboleth Developers

List archive

Re: Strawman AuthnRequest profile


Chronological Thread 
  • From: Jim Fox <>
  • To: Scott Cantor <>
  • Cc: "'Shibboleth Developers'" <>
  • Subject: Re: Strawman AuthnRequest profile
  • Date: Sat, 1 Jan 2005 19:10:10 -0800 (PST)

The new protocol requires a lot more communication between elements
of the shibboleth HS and the native Web-ISO. It is unlikely that
these complex authentication requirements can be translated into
the "Location" controls that most ISOs use, plugin or not. It seems
apparent that the Web-ISO will have to be made shib-aware to some
extent, regardless of our implementation method.

That awareness would be most easily obtained if some of the shibboloeth
HS was installed directly into apache ("mod_hs"). Direct memory
communication between modules is much easier than communication by
URL or Location between applications.


As an example, here's how a mod_hs could work with pubcookie.
I think other apache-based ISO systems would be similar.

1) At apache's "post-read" stage mod_hs recognizes a shib login
request. It parsed the request and fills in paramters in
the apache request record.

- is shib
- force auth?
- passive?
- authncontext ( e.g., securid, force auth delay, ..)

2) At apache's "authn" stage mod_pubcookie reads mod_hs variables
and adjusts its configuration accordingly. It authenticates the
user as required.

3) (If mod_hs does it all)
At apache's "handler" stage mod_hs generates the SAML response
and sends the user back to the SP - successfully authenticated.
In this case mod_hs will have to read some of mod_pubcookie's
data - to see how the authn was accomplished.

3) (else servlet HS method)
The HS servlet handles the request and generates the response.
In this case mod_pubcookie will have to export some new variables
to tomcat - to tell how the authn was accomplished.


This scheme requires only a little shib-awareness on the part
of the ISO module (pubcookie) - it has to read mod_hs data.

An added benefit of the mod_hs system is a more complete logical
separation of the HS from the AA. Their current co-location causes
much unnecessary confusion, both during configuration and
afterwards, when trying to solve of problems.


happy new year everyone.

Jim


  • Re: Strawman AuthnRequest profile, Jim Fox, 01/01/2005

Archive powered by MHonArc 2.6.16.

Top of Page