shibboleth-dev - Re: User Authentication on the IDP?
Subject: Shibboleth Developers
List archive
- From: Nate Klingenstein <>
- To:
- Subject: Re: User Authentication on the IDP?
- Date: Thu, 31 Jan 2008 22:16:20 +0000
I agree with Nate that native support would be nice, since that would allow proper population of AuthnContext.
For now, if you're not going to be supporting anything other than client certificates using REMOTE_USER at this IdP, you can always modify handler.xml:
<LoginHandler xsi:type="RemoteUser">
<AuthenticationMethod>urn:oasis:names:tc:SAML: 2.0:ac:classes:TLSClient</AuthenticationMethod>
<AuthenticationMethod>urn:oasis:names:tc:SAML: 2.0:ac:classes:unspecified</AuthenticationMethod>
</LoginHandler>
The authentication context in the response will match what came in on the request, so it won't signal that TLS was used if unspecified is literally, specifically requested. While the default is unspecified for both Shibboleth 1.x and SAML 2.0 requests, this default can be changed on the RelyingParty configuration.
Nate, did you test this SSLUserName feature? It works fine with PHP, but the RemoteUser handler in Shibboleth always gets the DN (not sure if Tomcat is somehow overriding the RemoteUser with SSL_CLIENT_* stuff). I can work with the DN (it’s a bit less convenient), but I was curious if this worked directly for you.
Nope, I didn't test it -- much to my chagrin, as I spent a fair deal of time testing something else. I guess this is my consolation prize. It's really bizarre that PHP and a servlet would see different values though. Glad to hear you have the flexibility to use the DN's for now.
- User Authentication on the IDP?, Jeff.Krug, 01/31/2008
- RE: User Authentication on the IDP?, Jeff.Krug, 01/31/2008
- RE: User Authentication on the IDP?, Scott Cantor, 01/31/2008
- Re: User Authentication on the IDP?, Nate Klingenstein, 01/31/2008
- RE: User Authentication on the IDP?, Jeff.Krug, 01/31/2008
- Re: User Authentication on the IDP?, Nate Klingenstein, 01/31/2008
- RE: User Authentication on the IDP?, Jeff.Krug, 01/31/2008
- Re: User Authentication on the IDP?, Nate Klingenstein, 01/31/2008
- RE: User Authentication on the IDP?, Scott Cantor, 01/31/2008
- Re: User Authentication on the IDP?, Nate Klingenstein, 01/31/2008
- RE: User Authentication on the IDP?, Jeff.Krug, 01/31/2008
- RE: User Authentication on the IDP?, Jeff.Krug, 01/31/2008
Archive powered by MHonArc 2.6.16.