Is it possible do different authentication based on different SP?
Yaowen Tu
yaowen.tu at gmail.com
Thu Aug 16 18:53:43 EDT 2012
Scott,
I am trying to go through the option (1) by deploying multiple login
handlers, and specify AuthnContextClassRef in the request.
I want to use different UserNamePassword Handler for both SPs. Can I define
something like:
<ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file://C:\opt\shibboleth-idp/conf/login.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
<ph:LoginHandler xsi:type="ph:UsernamePasswordLDAP"
jaasConfigurationLocation="file://C:\opt\shibboleth-idp/conf/
loginLDAP.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
But I don't know how to specify it in AuthnContextClassRef. After reading
the docuemnt, seems like AuthnContextClassRef only accept things like:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Am I missing anything?
Is there a sample configuration that I can refer to?
Also is it possible to config it so IdP knows that all the AuthnReqeust
that comes from SP1 will use LoginHandler1. So we don't need to specify it
in the request any more.
Thanks,
Yaowen
On Thu, Aug 16, 2012 at 10:55 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 8/16/12 1:49 PM, "Yaowen Tu" <yaowen.tu at gmail.com> wrote:
> >
> >Thanks folks. Looks like there are two ways to achieve it:
>
> There are almost certainly a dozen ways. We're just identifying the most
> obvious ones.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120816/c59558c0/attachment-0001.html
More information about the users
mailing list