Shibboleth Developers

[Christopher Bongaarts <>]

Cantor, Scott E. wrote:
> > I need it in both - I'm checking the value (an AuthnContext) against the
> > requestedAuthenticationMethods in the LoginHandler in order to determine
> > to which of two RemoteUser servlet endpoints to redirect to, and I need
> > it in the servlet to set the AUTHENTICATION_METHOD_KEY attribute on the
> > way out.
>
> Isn't that transactional though? Wouldn't you need a way to prevent somebody from 
> rerouting their traffic to the "other" servlet on the way back to distort 
> their results? Seems like there would need to be something in the way you're picking up 
> the results of the external SSO to ensure the method chosen is the right one.

Not in our case - the idea is that the SP signals whether it wants 
SuperGoldenCrunchy authentication instead of PlainVanilla.  One of my 
RemoteUser servlet endpoints is configured to signal our local SSO that 
SGC auth is desired, and to change the presented UI accordingly.

When the user returns to the servlet, our local SSO sets AUTH_TYPE to 
indicate whether SGC was actually used or not (based on validation of 
our SSO cookie with our authentication service).  The servlet then needs 
to pass along this result to the AuthenticationEngine so that the result 
can be signaled back to the originating SP.

--
%%  Christopher A. Bongaarts   %%  

          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%