Shibboleth Developers

["Scott Cantor" <>]

I've managed to get a SecurID JAAS module built that's working with Tomcat
and thus Shibboleth at the same time as the original Kerberos and LDAP
modules, so if you configure things right, it can try one of those first and
if that fails, it tries the SecurID server (or you can make it use both,
switch the order, etc., standard JAAS stuff).

The logging's a mess, but I don't really understand Tomcat logging anymore,
so I don't know quite what to do with that part, any suggestions welcome
there.

The hard part's next, setting the SAML authn method from it. Because of how
Tomcat works, I see only two semi-portable ways to do this.

I could hack something into the username string it returns and have a Java
filter pick that up and use it to set the AuthnMethod header the IdP will
read (which means I have to prevent the client from spoofing it).

Essentially it would extend the Kerberos principal munger we have now that
strips the realm off but it would look for some special realm string to tell
it that SecurID was used. Yuck, I know.

Otherwise I have to resort to roles, which I don't think are really portable
in Java. The JAAS module can populate the Subject with a Principal
containing a hardcoded role name and then a filter could use the role
checking method on the servlet request, which I guess is portable even if
the mechanics of setting the role isn't.

Any suggestions? Both ideas suck, but Tomcat doesn't pass along the actual
objects created by the JAAS plugin, so you can't rely on the actual type of
the Principal objects to know what to do.

-- Scott