Shibboleth Developers

[Franck Borel <>]

Hi Chad,

> - Ditching the JAAS interface in favor of something else.  The way that 
> JAAS works has a number of limitations, mostly because it was never meant 
> to be used with web apps, and having something specifically designed for 
> such a use case might be better all around.

which interface have you in mind? Spring Security? Many home organizations in 
the DFN-AAI-Federation had to program their own connectors to authenticate 
their users or to connect their IdM to the IdP. Some are based on JAAS and 
others are own creation. It will be fine, if the connectors will work with 
the next release of the IdP too. Therefor it will necessary that the next IdP 
could be backward compatible. I don't know if this is part of your plan. 

Another ,and I think this is the better way, is implementing the missing 
features :-). This are for example (example is taken from a real existing 
case):

- Passing any parameters to the authentication process. Example IP address, 
username, password, organization name
- Possibility to bind scripts, which handle the authentication with the 
possibility to return error messages to the user, like "your account has 
expired"

Have a nice day!

-- Franck