Shibboleth Developers

[Franck Borel <>]

Hi Chad,

>> - Passing any parameters to the authentication process. Example IP
>> address, username, password, organization name - Possibility to bind
>> scripts, which handle the authentication with the possibility to
>> return error messages to the user, like "your account has expired"
> 
> This is already possible today.  
> At the instant the authentication engine invokes the login handler the 
> login handler has all the information known by the IdP up to that point.  
> The IP address, username/password (when that's the AuthN mechanism) is 
> already available.  I have no idea what you mean by organization name.  If 
> you're referring to the data in metadata that's available to.

Ok, my description was unclear :-)... I meant to pass the parameters all at 
once. We need more information on where the user belongs. For example, the 
Higher University Of Freiburg have 3 different IdMs: The Computing Center of 
the Higher University, The Computing Center of the clinical center and the 
Library Of Higher Education. All 3 IdMs are connected to one IdP. This means 
that the user have to choose his IdM from a list. The IdP gets 3 Parameters: 
1) Username 2) Password 3) Organization name (=chosen IdM). To realize this 
we use our own authentication handler. 

Another problem, is that some institutions needs the parameters username, 
password and IP address (all at once). This is because some licenses  expect, 
that the user is on campus to get access to the resources.

Other institutions like the Higher University Of Karlsruhe have implemented 
their own authentication handler based on JAAS. They have similar problems, 
but their username differs from IdM to IdM, therefore they don't need to pass 
an additional parameter. Using JAAS and not an own authentication handler, 
they hoped, that their solution will survive the next IdP version... 

It would be great if the next IdP could handle different parameters at once. 
I think of a call back handler with a list of parameters and a authentication 
handler that can be adapted to the different needs. For example an 
authentication handler called ScriptAuthentication, where a perl script can 
be bind to accomplish the authentication and returning an error message if 
the authentication failed.

Have a nice day!

-- Franck