Shibboleth Developers

[Bradley Schwoerer <>]

I am looking for feedback on how to best make some changes to the 
RemoteUserLoginHandler.  I want to access information about the 
loginContext in the RemoteUserLoginHandler.

The use case is to be able to support two additional things with 
RemoteUser authentication.  The first is to allow for Relying Party 
specific extensions and the second is to support force authentication.  
IMHO, both can be supported by appending information onto the end of the 
request string.  To support force authentication it would be to append 
something like /ForceReAuth at the end of the url, to look like 
https://login.wisc.edu/idp/Authn/RemoteUser/ForceAuthN. Likewise for 
Relying Party specific support it would be to append the Base64 url 
encoded string to the end like 
https://login.wisc.edu/idp/Authn/RemoteUser/bXkud2lzY29uc2luLmVkdS9zaGliYm9sZXRo.  
In the situation that the relying party asked for force re-auth in the 
SAML token it would then result in 
https://login.wisc.edu/idp/Authn/RemoteUser/ForceAuthN/bXkud2lzY29uc2luLmVkdS9zaGliYm9sZXRo.

I have something that I prototyped for appending the relying party, and 
just mocked up the piece for force authentication.  In the 
AuthenticationEngine I am setting a few attributes from the loginContext 
into the httpRequest as attributes to retrieve in the 
RemoteUserLoginHandler.

--- 
java-idp-2.1.5/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java    
2010-09-26 21:12:28.000000000 -0500
+++ 
java-idp/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java    
2010-10-22 15:23:19.000000000 -0500
@@ -247,6 +247,11 @@

             LoginHandler loginHandler = 
selectLoginHandler(possibleLoginHandlers, loginContext, idpSession);

+            httpRequest.setAttribute("WISC_FORCEAUTHN", 
loginContext.isForceAuthRequired());
+            httpRequest.setAttribute("WISC_RELYINGPARTY", 
loginContext.getRelyingPartyId());
+            httpRequest.setAttribute("WISC_RELYINGPARTY_BASE64",
+                                     
Base64.encodeBytes(loginContext.getRelyingPartyId().getBytes(),
+                                                        
Base64.DONT_BREAK_LINES));
             LOG.debug("Authenticating user with login handler of type 
{}", loginHandler.getClass().getName());
             loginContext.setAuthenticationAttempted();
             
loginContext.setAuthenticationEngineURL(HttpHelper.getRequestUriWithoutContext(httpRequest));


--- 
java-idp-2.1.5/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserLoginHandler.java    
2010-09-26 21:12:28.000000000 -0500
+++ 
java-idp/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserLoginHandler.java    
2010-11-04 10:15:23.000000000 -0500
@@ -18,9 +18,12 @@

 import java.io.IOException;

+import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

+
+import org.opensaml.xml.util.DatatypeHelper;
 import org.opensaml.util.URLBuilder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -66,6 +69,26 @@
             }
             pathBuilder.append(servletURL);

+            boolean isForceAuthRequired = 
httpRequest.getAttribute("WISC_FORCEAUTHN"));
+            if (isForceAuthRequired) {
+                pathBuilder.append("/ForceAuthN");
+            }
+
+            String relyingParty = 
DatatypeHelper.safeTrimOrNullString((String) 
httpRequest.getAttribute("WISC_RELYINGPARTY"));
+            String relyingPartyBase64 = 
DatatypeHelper.safeTrimOrNullString((String) 
httpRequest.getAttribute("WISC_RELYINGPARTY_BASE64"));
+            if (relyingPartyBase64 == null) {
+                log.debug("No relyingParty");
+            } else {
+                log.debug("Yes relyingParty {}", relyingParty);
+                String URLrelyingPartyBase64 = 
relyingPartyBase64.replace("+", "-").replace("/", "_").replace("=","");
+                log.debug("appending {}", URLrelyingPartyBase64);
+                if (!servletURL.endsWith("/")) {
+                    pathBuilder.append("/");
+                }
+                pathBuilder.append(URLrelyingPartyBase64);
+            }
+
+
             URLBuilder urlBuilder = new URLBuilder();
             urlBuilder.setScheme(httpRequest.getScheme());
             urlBuilder.setHost(httpRequest.getServerName());


There are lots of other supporting code like configuration and clean up 
for this to work, but I was mainly seeking feedback on passing the 
information to the RemoteUserLoginHandler.


-Bradley Schwoerer