Skip to Content.
Sympa Menu

shibboleth-dev - [Shib-Dev] logincontext & Remote User Login Handler

Subject: Shibboleth Developers

List archive

[Shib-Dev] logincontext & Remote User Login Handler


Chronological Thread 
  • From: Bradley Schwoerer <>
  • To:
  • Subject: [Shib-Dev] logincontext & Remote User Login Handler
  • Date: Thu, 04 Nov 2010 10:25:07 -0500

I am looking for feedback on how to best make some changes to the RemoteUserLoginHandler. I want to access information about the loginContext in the RemoteUserLoginHandler.

The use case is to be able to support two additional things with RemoteUser authentication. The first is to allow for Relying Party specific extensions and the second is to support force authentication. IMHO, both can be supported by appending information onto the end of the request string. To support force authentication it would be to append something like /ForceReAuth at the end of the url, to look like https://login.wisc.edu/idp/Authn/RemoteUser/ForceAuthN. Likewise for Relying Party specific support it would be to append the Base64 url encoded string to the end like https://login.wisc.edu/idp/Authn/RemoteUser/bXkud2lzY29uc2luLmVkdS9zaGliYm9sZXRo. In the situation that the relying party asked for force re-auth in the SAML token it would then result in https://login.wisc.edu/idp/Authn/RemoteUser/ForceAuthN/bXkud2lzY29uc2luLmVkdS9zaGliYm9sZXRo.

I have something that I prototyped for appending the relying party, and just mocked up the piece for force authentication. In the AuthenticationEngine I am setting a few attributes from the loginContext into the httpRequest as attributes to retrieve in the RemoteUserLoginHandler.

--- java-idp-2.1.5/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java 2010-09-26 21:12:28.000000000 -0500
+++ java-idp/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java 2010-10-22 15:23:19.000000000 -0500
@@ -247,6 +247,11 @@

LoginHandler loginHandler = selectLoginHandler(possibleLoginHandlers, loginContext, idpSession);

+ httpRequest.setAttribute("WISC_FORCEAUTHN", loginContext.isForceAuthRequired());
+ httpRequest.setAttribute("WISC_RELYINGPARTY", loginContext.getRelyingPartyId());
+ httpRequest.setAttribute("WISC_RELYINGPARTY_BASE64",
+ Base64.encodeBytes(loginContext.getRelyingPartyId().getBytes(),
+ Base64.DONT_BREAK_LINES));
LOG.debug("Authenticating user with login handler of type {}", loginHandler.getClass().getName());
loginContext.setAuthenticationAttempted();
loginContext.setAuthenticationEngineURL(HttpHelper.getRequestUriWithoutContext(httpRequest));


--- java-idp-2.1.5/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserLoginHandler.java 2010-09-26 21:12:28.000000000 -0500
+++ java-idp/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserLoginHandler.java 2010-11-04 10:15:23.000000000 -0500
@@ -18,9 +18,12 @@

import java.io.IOException;

+import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

+
+import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.util.URLBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -66,6 +69,26 @@
}
pathBuilder.append(servletURL);

+ boolean isForceAuthRequired = httpRequest.getAttribute("WISC_FORCEAUTHN"));
+ if (isForceAuthRequired) {
+ pathBuilder.append("/ForceAuthN");
+ }
+
+ String relyingParty = DatatypeHelper.safeTrimOrNullString((String) httpRequest.getAttribute("WISC_RELYINGPARTY"));
+ String relyingPartyBase64 = DatatypeHelper.safeTrimOrNullString((String) httpRequest.getAttribute("WISC_RELYINGPARTY_BASE64"));
+ if (relyingPartyBase64 == null) {
+ log.debug("No relyingParty");
+ } else {
+ log.debug("Yes relyingParty {}", relyingParty);
+ String URLrelyingPartyBase64 = relyingPartyBase64.replace("+", "-").replace("/", "_").replace("=","");
+ log.debug("appending {}", URLrelyingPartyBase64);
+ if (!servletURL.endsWith("/")) {
+ pathBuilder.append("/");
+ }
+ pathBuilder.append(URLrelyingPartyBase64);
+ }
+
+
URLBuilder urlBuilder = new URLBuilder();
urlBuilder.setScheme(httpRequest.getScheme());
urlBuilder.setHost(httpRequest.getServerName());


There are lots of other supporting code like configuration and clean up for this to work, but I was mainly seeking feedback on passing the information to the RemoteUserLoginHandler.


-Bradley Schwoerer



Archive powered by MHonArc 2.6.16.

Top of Page