Shibboleth Developers

[Jeffrey Eaton <>]

On May 12, 2011, at 4:24 PM, Cantor, Scott E. wrote:

> On 5/12/11 3:37 PM, "Jeffrey Eaton" 
> <>
>  wrote:
>> I tried cloning the RemoteUser login handler, but I can't find a way to
>> get the entityID in RemoteUserAuthServlet.  In RemoteUserLoginHandler,
>> that's available by doing:
>> 
>> HttpServletHelper.getLoginContext(httpRequest).getRelyingPartyId());
>> 
>> however, after the redirect to the Servlet (which is what is actually
>> protected by Apache, so the first place the the REMOTE_USER is
>> available), that does not work, since it's a different httpRequest.  I
>> don't see any other way to access the SP entityID from there.
> 
> LoginContext loginContext = HttpServletHelper.getLoginContext(
>       HttpServletHelper.getStorageService(getServletContext()),
>       getServletContext(), request);

Aha, thanks.  That gets me exactly what I need.  With this, I can at least 
get something functional for now.

> 
>> Really, I think I want to do this later, after attribute resolution,
>> because then I can just look to see if any of the LDAP attributes were
>> resolved, then act based on that.
> 
> You can't do anything afterwards, that's already after returning control,
> you have to mock up a resolution yourself and rely on caching to avoid it
> costing you a lot to do it again.
> 
> -- Scott
> 

I was actually thinking of hooking in the same way uApprove does it.  Where 
uApprove displays the attributes and asks for the user consent, I would just 
have my logic examine the entityID of the SP, and either allow it to pass or 
not. Does that sound reasonable/feasible?

-jeaton