shibboleth-dev - Shib 2.0 Authentication Handler Interface
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Shib 2.0 Authentication Handler Interface
- Date: Fri, 10 Nov 2006 07:23:45 -0500
- Organization: UIS - middleware
I've checked in what I believe to be a fairly complete interface for the Shibboleth 2.0 Authentication Handlers:
http://svn.middleware.georgetown.edu/view/trunk/src/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationHandler.java?root=java-idp&view=markup
The interface is pretty simple and should allow easy inter-operation with external authentication sources (e.g. container, Apache, other SSOs). The goal is to keep it simple too.
The operation is fairly simple, the IdP will determine which handler to invoke by looking at a lot of internal information (e.g. whether you've authenticated before, when you did so, what type of criteria are present on the incoming request, etc.) and if authentication is required it will invoke the appropriate handler. The appropriate handle is either the one set as the default in the IdP config or the one corresponding to the AuthnContext Class/Decl URI provided in the authentication request.
Once the authentication method has been invoked the handler will have complete control and may interact with the user however is necessary in order to authenticate the user. Once that is complete the handler (or some other servlet/JSP it passed off to), must then forward the current request/response pair backed to a location provided to the handler (via setReturnLocation(String).
The incoming request to the handler will contain the SAML 2 authentication request representing this request (even if the actual system making the request is not a SAML 2 based system) within a request attribute. The handler must ensure the user's principal name is set in a request attribute when it returns control back to the IdP.
As I said, this should allow Shib 2.0 to be hooked in to any AuthN environment that 1.3 currently works in. We will ship, at least, a forms based userid/password handler, a remote user based handler (that works like Shib does now), and probably an IP based one.
Comments/Questions?
--
Chad La Joie 2052-C Harris Bldg
OIS-Middleware 202.687.0124
- Shib 2.0 Authentication Handler Interface, Chad La Joie, 11/10/2006
- Re: Shib 2.0 Authentication Handler Interface, Velpi, 11/14/2006
- Re: Shib 2.0 Authentication Handler Interface, Chad La Joie, 11/14/2006
- RE: Shib 2.0 Authentication Handler Interface, Scott Cantor, 11/14/2006
- Re: Shib 2.0 Authentication Handler Interface, Chad La Joie, 11/14/2006
- RE: Shib 2.0 Authentication Handler Interface, Scott Cantor, 11/14/2006
- Re: Shib 2.0 Authentication Handler Interface, Chad La Joie, 11/14/2006
- Re: Shib 2.0 Authentication Handler Interface, Chad La Joie, 11/24/2006
- Re: Shib 2.0 Authentication Handler Interface, Velpi, 11/14/2006
Archive powered by MHonArc 2.6.16.