SP Without SSO...
Manuel Haim
haim at hrz.uni-marburg.de
Fri Sep 16 09:35:45 BST 2011
Hi John,
we have written a custom login handler here which might suit some of
your needs:
a) When doing forceAuthn, you can login under a different name (the
previous login is destroyed).
b) For kiosk machines (detected by IP address), it shows an additional
"Guest login" button.
c) The IP address of the user is added to the session's
publicCredentials (for use in attribute resolution, but please take care
of this Security Advisory:
http://shibboleth.internet2.edu/secadv/secadv_20110718.txt).
d) The user can deactivate SSO when he logs in (this is done by
combining the PreviousSession and UsernamePassword login handler to just
one login handler which handles both). This way, the user will be asked
to log in again for each SP. This option may also train our current
users to understand what SSO means (as by now, without Shibboleth, they
still need to log in to each single web application).
e) As we have multiple user bases, the user can choose the domain he
belongs to when logging in (e.g. "staff" or "students").
Please send me an email if you would like to have a glimpse at the code.
-Manuel
More information about the users
mailing list