Multiple Username/Password login handlers

Chad La Joie lajoie at itumi.biz
Wed Aug 8 10:30:44 EDT 2012 

So, there is no way you could get that error given the config snippet
you showed since the attribute it's complaining about does not exist.

That said, even if it loaded your config isn't going to work like you
want it.  JAAS is configured at the JVM level so one JAAS config file
is just going to overwrite the other one.  I *think* there is a
configuration option that allows you to specify the name of the JAAS
configuration you want to use.  So you'd load the same config file in
both handlers.  The file would have two different configs and you'd
reference them in the config of each login handler.

On Wed, Aug 8, 2012 at 10:25 AM, Clay Cooper <cacits at rit.edu> wrote:
> I’m trying to implement two Username/Password login handlers so I can have
> two different LDAP configurations. One LDAP supports one-time passwords and
> the other does not. I’ve successfully been able to implement two RemoteUser
> login handlers so I’m not sure where I’m failing with the UserPass ones.
>
>
>
> My configurations are:
>
> handler.xml –
>
>     <ph:LoginHandler xsi:type="ph:UsernamePassword"
>
>                   jaasConfigurationLocation="file:///opt
> /shibboleth/conf/tplogin.config">
>
>
> <ph:AuthenticationMethod>urn:mace:rit.edu:Authn:TPPasswordProtectedTransport</ph:AuthenticationMethod>
>
>     </ph:LoginHandler>
>
>
>
> /opt /shibboleth/conf/tplogin.config exists with modifications based off the
> default login.config
>
>
>
> web.xml -
>
> <servlet>
>
>         <servlet-name>TPUsernamePasswordAuthHandler</servlet-name>
>
>
> <servlet-class>edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet</servlet-class>
>
>         <load-on-startup>3</load-on-startup>
>
>     </servlet>
>
>
>
>     <servlet-mapping>
>
>         <servlet-name>TPUsernamePasswordAuthHandler</servlet-name>
>
>         <url-pattern>/Authn/TPUserPassword</url-pattern>
>
>     </servlet-mapping>
>
>
>
>
>
> relying-party.xml –
>
>     <rp:RelyingParty
>
>         id="https://sp.example.com"
>
>         provider="https://<shib-idp>/idp/shibboleth"
>
>         defaultSigningCredentialRef="IdPCredential"
>
>
> defaultAuthenticationMethod="urn:mace:rit.edu:Authn:TPPasswordProtectedTransport">
>
>         <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
>
>                 encryptAssertions="never"
>
>                 encryptNameIds="never" />
>
>     </rp:RelyingParty>
>
>
>
> IdP is version 2.3.2 (I know it’s not the latest version.)
>
>
>
> When trying to authenticate using IdP initiated SSO I get passed to
> /idp/Authn/UserPassword instead of /idp/Authn/TPUserPassword however
> /idp/Authn/TPUserPassword gives me the login form.
>
>
>
> Another issue that might be related is that the wiki says that the
> LoginHandler element takes an optional parameter of authenticationServletURL
> however the IdP fails to start and gives the error:
>
> 12:50:50.006 - ERROR
> [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - [] -
> [] - Configuration was not loaded for shibboleth.HandlerManager service,
> error creating components.  The root cause of this error was:
> org.xml.sax.SAXParseException: cvc-complex-type.3.2.2: Attribute
> 'protectedServletPath' is not allowed to appear in element
> 'ph:LoginHandler'.
>
>
>
>
>
> My final thought is that I’m trying to implement this in the wrong way and
> gladly welcome anyone to tell me so.
>
>
>
>
>
>
>
> Clay Cooper
>
> Systems Administrator
>
> Information Technology Services
>
> Rochester Institute of Technology
>
>
>
> CONFIDENTIALITY NOTE: The information transmitted, including attachments, is
> intended only for the person(s) or entity to which it is addressed and may
> contain confidential and/or privileged material. Any review, retransmission,
> dissemination or other use of, or taking of any action in reliance upon this
> information by persons or entities other than the intended recipient is
> prohibited. If you received this in error, please contact the sender and
> destroy any copies of this information.
>
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net



-- 
Chad La Joie
www.itumi.biz
trusted identities, delivered

More information about the users mailing list