Shibboleth Developers

[Jim Fox <>]

It is most likely within the capabilities of a site-developed login

handler to do this kind of thing.

-1 for abusing LoginHandler to do something that's less about the user
login and more about the service the user is trying to access.

In our case, RL Bob's case, the SP is not inclined to adapt to our needs.  It is unconscionable that we would simply tell our users that this issue conforms neither to our dogma nor that of an intransigent provider. We needed a working solution.

It was important that we do our pre-authorization whether or not a user has an existing session with the IdP.  It is also important to note that while some of the situations might be handled with existing attributes, others required queries available only to c language applications.  So we had some issues.

Because we use Apache in front of the IdP, and because the SP in question uses GET authn requests, it is quite easy to intercept these requests, using mod_rewrite, and pre-process them with a separate application.  In essence we are invoking an authn process whether or not a session exists.

I am looking forward to v3 to see how this functionality might be implemented natively.  

Jim