Shibboleth Developers

[Paul Hethmon <>]

On 11/30/10 3:49 PM, "Brent Putman" 
<>
 wrote:

> So basically, after the previous session handler runs, you'll have both
> your principal and the Shib UsernamePrincipal in the Session's Subject.
>  If you access that data from the session with Session#getPrincipalName,
> you will in fact get the Shib one b/c the accessor code gives preference
> to the Shib principal.  That was to deal (partially and imperfectly)
> with the issue outlined in SIDPT-38 (which will be dealt with in some
> fashion in v3).  Even if you don't have a Shib principal in there, but
> do have multiple principals, you'd still not be guaranteed to get your
> custom one, b/c of the random selection described in SIDPT-38.
> 
> So what you should really do in your data connector is use
> Session#getSubject to get the entire session Subject and then obtain
> your custom Principal directly from that. That way you always get the
> one you want.

The data connector was already using the Session#getSubject path, so that
was fine. It was my mucking with AuthenticationEngine that left only the new
Principal from the PreviousSession handler in there.

Working on that part right now. I still have a need to only have a single
Principal per user though. I can see a way to do it but it puts a dependency
on my Shib build on my library. I haven't needed to do that with any tweaks
or plugins yet, so I hate to introduce it.

Of course, that doesn't even cover what I had to do to make it work with
Terracotta. Had multiple levels of errors there.

Thanks for the feedback Brent.

Paul