Shibboleth Developers

[Jim Fox <>]

This relates to our desire to allow an SP (NIH, say) to specifically
request an authentication class ref of 'silver' and receive an
authn response with a class ref of 'silver'.  It is similar to,
but independent of, a silver assurance attribute.

If a login handler itself can verify that the user deserves the
silver LOA we can immediately solve the problem by adding the element

<AuthenticationMethod>http://incommonfederation.org/assurance/silver</AuthenticationMethod>

to the login handler's configuration.

However, more commonly a login handler will not be able to make
that distinction.  Knowledge of a user's silverness might come
instead from one or more resolved attributes.  In essense an
attribute would have a veto over the silver LOA.

A servlet plugin, that extends the UsernamePasswordLoginServlet,
easily accomplishes this task.  It is configured with each of the
class refs that it should verify by attribute, e.g.

  <init-param>
    <param-name>http://incommonfederation.org/assurance/silver</param-name>
    <param-value>authnsilver</param-value>
  </init-param>

and maybe

  <init-param>
    
<param-name>http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf</param-name>
    <param-value>authnsilver</param-value>
  </init-param>

where the param-name is an authn method and param-value is an
attribute id.

Whenever it encounters a requested (or actual) authn method of one
of these it resolves the attribute and, if the attribute has values
the method is allowed.  Otherwise login is denied.

The servlet plugin works with both the remoteuser and usernamepassword login 
handlers.

Jim