Shibboleth Developers

["Scott Cantor" <>]

> You mean that if my LoginHandler does not implement isPassive or
> forceAuthn the IDP will "emulate" them for me? Because I want my IDP
> to support them.

No, it only does the work of preventing you from getting control if they're
specified and you don't support them. If you want to support them, you need
to build a LoginHandler that can honor them. If the eventual protocol that
handles SSO can't support them, you can't really do that.

> What about the session that is created by the Authentication framework
> that we will use? For example,  with the RemoteUser login handler, we
> deploy a servlet filter to protect the RemoteUserAuthServlet. Normally
> this filter would check if the user is authenticated based on some
> session state, establish it if it doesn't exist, and fill REMOTE_USER
> with it before passing the execution to the servlet.

That filter cannot be in place until your LoginHandler gets a chance to
examine the request, or you cannot support IsPassive.

> If a request with isPassive=true arrives, how does the IDP know it can
> use this LoginHandler without blocking? In other words, how does it
> know that a session exists?

It doesn't, which is why you have to do that work and you have to get
creative with how it all connects together via your handler.
 
-- Scott