Shibboleth Developers

["Scott Cantor" <>]

> I'm trying to ascertain what would be involved in writing a handler that
> could consume a SAML authentication assertion in order to authenticate a
> user.

Meaning you want to use SAML authentication to get a new SAML assertion?
That isn't something a browser can do, so it's not in scope of the initial
effort.

> I read that "[t]he incoming request to the handler will contain the SAML
> 2 authentication request representing this request"; I am struggling to
> understand what a SAML 2 authentication request representing a SAML 2
> authentication assertion would look like.

Authentication is carried outside the SAML request in the binding or
transport layer. In the case of SAML chaining, you would normally use SOAP
as in the Liberty SSOS. The authenticating assertion is in a header via WSS
and the SAML request is in the body.

The only way you could hack up a non-SOAP flow would be via the POST
binding, delivering the assertion ahead of the follow-on request message and
using some kind of cookie session to tie them together. There are no
profiles for that that I'm aware of.

In any case, the IdP's authn API is designed to give the handler access to
the whole servlet request and you can do any number of response/request
iterations with the user to do the authentication, so we believe that it
will be adaptable to various complex scenarios, but they are not in scope
initially.

-- Scott