Shibboleth Developers

["Scott Cantor" <>]

> 1) isPassive and forceAuthn:  pubcookie supports these most easily if
> we use different authn urls for each.  Is a custom login handler,
> along the lines of the distributed RemoteUser handler, the right way
> to go.  It would act much like RemoteUser, but make allowances for the
> passive and forceAuthn flags -- redirecting to different login urls
> for each.

Yes, that was the plan. We assumed people would implement code to check the
request options before deciding what to do.

> 2) SecureID:  pubcookie supports this also, with a distinct authn ur l
> to trigger securid login.  Is this a proper use of
> authnContextClassRef ?

Yes. I think the TimeSyncToken class is the defined one for that, but don't
hold me to that. I don't see anything else that matches.

> If so, is there a way to communicate
> 'secureid' to the handler in (1)?  or should I implement a separate
> login handler for this?

Communicate in what sense? If the request asks for that class, the handler
would have access to that, same as with IsPassive, etc.

-- Scott