Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] [IdPv3] Authenticate Engine

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] [IdPv3] Authenticate Engine


Chronological Thread 
  • From: Franck Borel <>
  • To:
  • Subject: Re: [Shib-Dev] [IdPv3] Authenticate Engine
  • Date: Mon, 5 Jul 2010 09:20:13 +0200

Hi Chad,

>> - Passing any parameters to the authentication process. Example IP
>> address, username, password, organization name - Possibility to bind
>> scripts, which handle the authentication with the possibility to
>> return error messages to the user, like "your account has expired"
>
> This is already possible today.
> At the instant the authentication engine invokes the login handler the
> login handler has all the information known by the IdP up to that point.
> The IP address, username/password (when that's the AuthN mechanism) is
> already available. I have no idea what you mean by organization name. If
> you're referring to the data in metadata that's available to.

Ok, my description was unclear :-)... I meant to pass the parameters all at
once. We need more information on where the user belongs. For example, the
Higher University Of Freiburg have 3 different IdMs: The Computing Center of
the Higher University, The Computing Center of the clinical center and the
Library Of Higher Education. All 3 IdMs are connected to one IdP. This means
that the user have to choose his IdM from a list. The IdP gets 3 Parameters:
1) Username 2) Password 3) Organization name (=chosen IdM). To realize this
we use our own authentication handler.

Another problem, is that some institutions needs the parameters username,
password and IP address (all at once). This is because some licenses expect,
that the user is on campus to get access to the resources.

Other institutions like the Higher University Of Karlsruhe have implemented
their own authentication handler based on JAAS. They have similar problems,
but their username differs from IdM to IdM, therefore they don't need to pass
an additional parameter. Using JAAS and not an own authentication handler,
they hoped, that their solution will survive the next IdP version...

It would be great if the next IdP could handle different parameters at once.
I think of a call back handler with a list of parameters and a authentication
handler that can be adapted to the different needs. For example an
authentication handler called ScriptAuthentication, where a perl script can
be bind to accomplish the authentication and returning an error message if
the authentication failed.

Have a nice day!

-- Franck


Archive powered by MHonArc 2.6.16.

Top of Page