Shibboleth Users

Text archives Help


RE: Is Shibboleth right for me?


Chronological Thread 
  • From: Richard Gundersen < >
  • To: < >
  • Subject: RE: Is Shibboleth right for me?
  • Date: Wed, 30 Apr 2008 16:17:46 +0100
  • Importance: Normal

Hi Chad

Thanks for the quick response. I've been trying CAS recently and am finding it hard-going, so (since I have used OpenSAML a couple of years ago) I thought Shibboleth was worth a look (and still do).

Could I just pick up on a couple of your points?

> All information provided by shib is available to the application in HTTP
> headers. So there is no API (which sounded like what you were saying
> when you said 'principal object').

Sounds like I could write a Servlet Filter that reads these attributes (which would mostly be roles from LDAP) and constructs a Principal object that's then put in the session. Is this a common way of doing it?

> This depends a great deal on how you do the authentication. In most
> cases, no, it can not do this because the authentication system simply
> returns a "no" from the authentication operation. So Shib doesn't know
> any more than that.

On a login failure, I wonder if I could redirect somewhere that then performs a more detailed LDAP lookup (if the LDAP server has this functionality) to work out the reason for login failure. Do you know of any implementations of Shibboleth that have managed to do this?

Regards

Richard


> Date: Wed, 30 Apr 2008 10:46:46 -0400
> From:
> To:
> Subject: Re: Is Shibboleth right for me?
>
>
>
> Richard Gundersen wrote:
> > 1) Replace OID as the SSO system protecting about 10 web apps (some Spring, some older ones non-Spring)
>
> Yes, the IdP + SP components give you an SSO system.
>
> > 2) Authenticate against LDAP and provide the user's roles in a principal object in the session (which the apps will read)
>
> Shib can authenticate against most authn mechanisms that I've seen
> either by code included with Shib (in version 2) or the code that allows
> Shib to use the results of the web server/container's authentication
> mechanisms.
>
> All information provided by shib is available to the application in HTTP
> headers. So there is no API (which sounded like what you were saying
> when you said 'principal object').
>
> > 3) Detect the reason for a login failure so that I can e.g. redirect the user to a 'change password' screen if a password has expired, or display a message such as 'your account is locked' if it's locked.
>
> This depends a great deal on how you do the authentication. In most
> cases, no, it can not do this because the authentication system simply
> returns a "no" from the authentication operation. So Shib doesn't know
> any more than that.
>
>
> --
> SWITCH
> Serving Swiss Universities
> --------------------------
> Chad La Joie, Software Engineer, Security
> Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
> phone +41 44 268 15 75, fax +41 44 268 15 68
> , http://www.switch.ch
>


Get fish-slapping on Messenger Play Now



Archive powered by MHonArc 2.6.16.

Top of page