Shibboleth Developers

[Paul Hethmon <>]

Title: Re: [Shib-Dev] Username/Password Login

On 4/3/09 3:15 AM, "Pieter Vandepitte" <> wrote:

> Hi,
>  
> I’m new to Shibboleth and I have a “design and implementation” question.
>  
> Here at K.U.Leuven we want to add following functionality to Shibboleth IdP v2.x:
>  
> After a user has logged in with username/password authentication we want to lookup some LDAP attrs to check if a user should change its credentials. E.g. x days after the last password change, the user gets an intermediate page with a warning that the user should change his/her password within y days, and after x+y days it should be impossible for that user to successfully log in. I have been looking into the documentation and source code of the username/password (JAAS) authentication and it seems that it’s not possible to configure such login “flow”. 
>  
Pieter,

I would suggest you write your own LoginHandler. Don’t even bother trying to use the JAAS model because you will constantly be working around the limitations. However, you can take that set of code in Shib and use it as a skeleton/guide for your own handler. Then, in your handler, if you can query for that attribute information, or even better, have it part of the authentication credential response, then you can easily prompt the user as necessary during the login flow with really minimal (if any) changes to Shib itself.

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

Give a man a fire and he's warm for the day. But set fire to him and he's warm for the rest of his life.

 -- Terry Pratchett, Discworld