Shibboleth Developers

[Nate Klingenstein <>]

> I agree with Nate that native support would be nice, since that  
> would allow proper population of AuthnContext.

For now, if you're not going to be supporting anything other than  
client certificates using REMOTE_USER at this IdP, you can always  
modify handler.xml:

    <LoginHandler xsi:type="RemoteUser">
        <AuthenticationMethod>urn:oasis:names:tc:SAML: 
2.0:ac:classes:TLSClient</AuthenticationMethod>
        <AuthenticationMethod>urn:oasis:names:tc:SAML: 
2.0:ac:classes:unspecified</AuthenticationMethod>
    </LoginHandler>

The authentication context in the response will match what came in on  
the request, so it won't signal that TLS was used if unspecified is  
literally, specifically requested.  While the default is unspecified  
for both Shibboleth 1.x and SAML 2.0 requests, this default can be  
changed on the RelyingParty configuration.

> Nate, did you test this SSLUserName feature?  It works fine with  
> PHP, but the RemoteUser handler in Shibboleth always gets the DN  
> (not sure if Tomcat is somehow overriding the RemoteUser with  
> SSL_CLIENT_* stuff).  I can work with the DN (it’s a bit less  
> convenient), but I was curious if this worked directly for you.

Nope, I didn't test it -- much to my chagrin, as I spent a fair deal  
of time testing something else.  I guess this is my consolation  
prize.  It's really bizarre that PHP and a servlet would see  
different values though.  Glad to hear you have the flexibility to  
use the DN's for now.