Shibboleth Developers

[Nate Klingenstein <>]

Jeff,

I've managed to get this to work through a kludge that allows the IdP to check certificate fields passed in by using the container's client certificate authentication, but it was ugly and required a lot of outside infrastructure and some code modification.  Essentially, I just checked SSL_CLIENT_S_DN_CN after mod_ssl did all the proper trust stuff on the certificate and TLS itself.

I've put in a request to Chad to implement proper client certificate authentication in the IdP, with optional fallback to a username/password page that's disabled by default.  Among all of my other requests, he hasn't gotten to this one yet.  However, he says it wouldn't take much time or effort and it's near the top of the list.

That's your hint to vote for this functionality as well, and it will probably make it into the distribution shortly. ;)

Nate.

On 31 Jan 2008, at 18:48, <> wrote:

Has anyone deployed using client certificate authentication (CCA) on the IDP with Shibboleth 2.0?  I need to deploy an IDP with CCA, and enabling it in the Tomcat container is easy (and done), but the technique used in Shibboleth 1.3, I can’t seem to find a way to reproduce that in Shibboleth 2.0. 

Has anyone does this?  Is there a resource somewhere that explains how to do it (I couldn’t find anything on the wiki)?

 

Is this something that I will need to dig into JAAS to do?  In the old Shibboleth (I realize the authentication endpoint was much simpler then), it was a simple matter of configuring a filter to specify what part of the Cert should be delivered to Shibboleth as REMOTE_USER.