Shibboleth Developers

[Will Norris <>]

On Sep 22, 2006, at 8:15 AM, Scott Cantor wrote:

> > We have exactly the same concerns at K.U.Leuven. The artifact  
> > protocol
> > requires an SP to have an entry in the metadata for any statement to
> > be released, so maybe there can be found an easy solution in that  
> > area: if
>
> > it's possible to force all/unauthenticated providers to use the  
> > artifact
> > protocol then that issue could be solved easily in a Shib1.3  
> > environment.
>
> The fact that the old WAYF model makes using other protocols  
> impossible
> aside, no, there's no way to force it in 1.3 without changing the  
> code, in
> which case you just need to implement the trivial change of adding  
> a "don't
> allow unknown requests" option for POST.


I toyed around with this a little bit today, and came up with the  
following patch.  It is in fact rather trivial, and simply adds a  
configuration attribute to IdpConfig called  
"allowAnonymousProviders".  This is an optional attribute which  
defaults to "true" (the present behavior).  If set to false, then the  
SSO Handler will not deliver an authentication assertion to an  
unauthenticated service provider, instead displaying an error message  
of "Unknown Service Provider".  Does this seem like a logical method  
to use for this type of functionality?

I only modified the SSO Handler for now since that was our primary  
concern... the delivery of an AuthnAssertion.  I think if we go  
forward with this, we'll want to modify the other Handlers as well,  
just to cover all our bases.  Actually, now that I think about it, it  
might make more sense to just make new ProtocolHandler  
implementations instead of patching the existing ones, though you'd  
still need a patch for the configuration attribute. *shrug*

-will

Attachment: anonymous-auth.diff
Description: Binary data

Attachment: smime.p7s
Description: S/MIME cryptographic signature