Multiple Username/Password login handlers

Clay Cooper cacits at rit.edu
Wed Aug 8 10:25:14 EDT 2012 

I'm trying to implement two Username/Password login handlers so I can have two different LDAP configurations. One LDAP supports one-time passwords and the other does not. I've successfully been able to implement two RemoteUser login handlers so I'm not sure where I'm failing with the UserPass ones.

My configurations are:
handler.xml -
    <ph:LoginHandler xsi:type="ph:UsernamePassword"
                  jaasConfigurationLocation="file:///opt /shibboleth/conf/tplogin.config<file:///\\opt%20\shibboleth\conf\tplogin.config>">
        <ph:AuthenticationMethod>urn:mace:rit.edu:Authn:TPPasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>

/opt /shibboleth/conf/tplogin.config exists with modifications based off the default login.config

web.xml -
<servlet>
        <servlet-name>TPUsernamePasswordAuthHandler</servlet-name>
        <servlet-class>edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet</servlet-class>
        <load-on-startup>3</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>TPUsernamePasswordAuthHandler</servlet-name>
        <url-pattern>/Authn/TPUserPassword</url-pattern>
    </servlet-mapping>


relying-party.xml -
    <rp:RelyingParty
        id="https://sp.example.com"
        provider="https://<shib-idp>/idp/shibboleth<https://%3cshib-idp%3e/idp/shibboleth>"
        defaultSigningCredentialRef="IdPCredential"
        defaultAuthenticationMethod="urn:mace:rit.edu:Authn:TPPasswordProtectedTransport">
        <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
                encryptAssertions="never"
                encryptNameIds="never" />
    </rp:RelyingParty>

IdP is version 2.3.2 (I know it's not the latest version.)

When trying to authenticate using IdP initiated SSO I get passed to /idp/Authn/UserPassword instead of /idp/Authn/TPUserPassword however /idp/Authn/TPUserPassword gives me the login form.

Another issue that might be related is that the wiki says that the LoginHandler element takes an optional parameter of authenticationServletURL however the IdP fails to start and gives the error:
12:50:50.006 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - [] - [] - Configuration was not loaded for shibboleth.HandlerManager service, error creating components.  The root cause of this error was: org.xml.sax.SAXParseException: cvc-complex-type.3.2.2: Attribute 'protectedServletPath' is not allowed to appear in element 'ph:LoginHandler'.


My final thought is that I'm trying to implement this in the wrong way and gladly welcome anyone to tell me so.



Clay Cooper
Systems Administrator
Information Technology Services
Rochester Institute of Technology

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120808/ec609f4b/attachment-0001.html

More information about the users mailing list