Setting up ECP in shibboleth SP

Chad La Joie lajoie at shibboleth.net
Mon Jan 2 23:15:25 GMT 2012


In my opinion, and Scott may disagree, but because the SAML spec does
not actually cover authentication it also doesn't cover the case when
authentication is done by an external system and fails.

In a perfect world, I would want the IdP to return a SAML error saying
authentication failed.  But there is no way to actually do that when you
call out to another system and it never returns control back to the IdP.

On 1/2/12 6:08 PM, Anand Somani wrote:
> So is response (for auth failure in case of ECP) within the spec or not?
> The reason I ask is if our customer wants to use another Idp, would our
> ECP code be different because it handles the credential validation
> differently so instead of a 401, it returns a proper SOAP with auth denied.
> 
> Thanks
> 
> 
> 
> On Fri, Dec 30, 2011 at 3:56 PM, Chad La Joie <lajoie at itumi.biz
> <mailto:lajoie at itumi.biz>> wrote:
> 
>     That is the expected behavior currently.  Authentication occurs
>     outside the IdP so its the web server or servlet container giving you
>     that error.
> 
>     On Fri, Dec 30, 2011 at 18:35, Anand Somani <meatforums at gmail.com
>     <mailto:meatforums at gmail.com>> wrote:
>     > Follow up question on the setup for ECP. Everything seems to work as
>     > expected for a successful login, but for a bad password the client
>     gets a
>     > 401 and a html response body, I would have expected a SOAP
>     response/fault
>     > (from Idp) with a rejection/denied that I could pass to SP. Is
>     this not the
>     > correct expectation? Maybe my Idp setup is not complete, even
>     though it
>     > seems to work?
>     >
>     > Thanks
>     >
>     >
>     > On Wed, Dec 21, 2011 at 5:56 PM, Cantor, Scott <cantor.2 at osu.edu
>     <mailto:cantor.2 at osu.edu>> wrote:
>     >>
>     >> For the sake of the list archive, the crash was in an old
>     log4shib version
>     >> that was fixed several years ago and has nothing to do with ECP in
>     >> particular.
>     >>
>     >> -- Scott
>     >>
>     >> --
>     >> To unsubscribe from this list send an email to
>     >> users-unsubscribe at shibboleth.net
>     <mailto:users-unsubscribe at shibboleth.net>
>     >
>     >
>     >
>     > --
>     > To unsubscribe from this list send an email to
>     > users-unsubscribe at shibboleth.net
>     <mailto:users-unsubscribe at shibboleth.net>
> 
> 
> 
>     --
>     Chad La Joie
>     www.itumi.biz <http://www.itumi.biz>
>     trusted identities, delivered
>     --
>     To unsubscribe from this list send an email to
>     users-unsubscribe at shibboleth.net
>     <mailto:users-unsubscribe at shibboleth.net>
> 
> 
> 
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list