Skip to Content.
Sympa Menu

shibboleth-dev - X.509 authentication and single LoginHandler

Subject: Shibboleth Developers

List archive

X.509 authentication and single LoginHandler


Chronological Thread 
  • From: Giuseppe Fiameni <>
  • To:
  • Subject: X.509 authentication and single LoginHandler
  • Date: Thu, 9 Apr 2009 14:27:15 +0200 (MEST)
Dear all,
I have been asked to implement a new LoginHandler in order to provide
both username/password and X.509 based authentication systems within
the same instance of Shibboleth.

After some investigations I turned out with a possible solution:

- configure Tomcat with two connectors. The former (say for user/pass)
with the clientAuth parameter set to false, the latter (say for X.509) with
the clientAuth parameter set to true. Doing this way the LoginHandler
should be able to understand which connector the client requests come
from and thus present a different authentication mechanism according.

Although the presented solution should work fine, it requires the presence
of a WAYF server to redirect the user's request to the right connector
depending on the authentication mechanism the user prefers to go through.
Unfortunately, the service provide we want to make "shibboleth" enabled
seems to not accept the presence of a WAYF server because it only allows
authentication responses which come from the server it initialized the
connection. Due to this problem I was wondering if there might exist
an alternative solution which permits to offer two different auth mechanisms
without adopting a WAYF server.

Do you have any idea how to proceed ?

Since I noticed that the new release of Shibboleth will come with a X.509
authentication support, could you please give me any further detail that
might help me in implementing the same mechanism ?

Having a look to you road map I can read:
"Refactor security-related spring beans machinery to create a new context that
sits between the global context and all other contexts (this is necessary for
various things, like X.509 authentication)"

Why do you plan to refactor the entire spring beans machinery rather than
having a lighter approach ?

Many thanks for your precious help.

Best regards,
Giuseppe

--
Fiameni Giuseppe -

High Performance System & Technology Group
CINECA Interuniversitary Computing Center
Casalecchio di Reno (BO) - Italy
Tel. +39 051 6171411


  • X.509 authentication and single LoginHandler, Giuseppe Fiameni, 04/09/2009

Archive powered by MHonArc 2.6.16.

Top of Page