Setting up ECP in shibboleth SP
Anand Somani
meatforums at gmail.com
Mon Jan 2 23:55:07 GMT 2012
But if I use the SSO browser profile, on auth failure I get redirected back
to SP with a message that access was denied.
I understand that with the container based approach it is not possible to
do this, but why is it that Shibboleth (for ECP profile) uses the container
auth (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthRemoteUser)
and not the external auth (
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthExternal). It
seems like with ExternalAuth it would be possible to return a SOAP error
instead of 401.
What would be the best thing to do, if I wanted to write a ECP Client then,
I mean if things are not in the spec then it would almost depend on the IDP
implementation which would force the client to be customizable and hence a
headache to maintain?
On Mon, Jan 2, 2012 at 3:15 PM, Chad La Joie <lajoie at shibboleth.net> wrote:
> In my opinion, and Scott may disagree, but because the SAML spec does
> not actually cover authentication it also doesn't cover the case when
> authentication is done by an external system and fails.
>
> In a perfect world, I would want the IdP to return a SAML error saying
> authentication failed. But there is no way to actually do that when you
> call out to another system and it never returns control back to the IdP.
>
> On 1/2/12 6:08 PM, Anand Somani wrote:
> > So is response (for auth failure in case of ECP) within the spec or not?
> > The reason I ask is if our customer wants to use another Idp, would our
> > ECP code be different because it handles the credential validation
> > differently so instead of a 401, it returns a proper SOAP with auth
> denied.
> >
> > Thanks
> >
> >
> >
> > On Fri, Dec 30, 2011 at 3:56 PM, Chad La Joie <lajoie at itumi.biz
> > <mailto:lajoie at itumi.biz>> wrote:
> >
> > That is the expected behavior currently. Authentication occurs
> > outside the IdP so its the web server or servlet container giving you
> > that error.
> >
> > On Fri, Dec 30, 2011 at 18:35, Anand Somani <meatforums at gmail.com
> > <mailto:meatforums at gmail.com>> wrote:
> > > Follow up question on the setup for ECP. Everything seems to work
> as
> > > expected for a successful login, but for a bad password the client
> > gets a
> > > 401 and a html response body, I would have expected a SOAP
> > response/fault
> > > (from Idp) with a rejection/denied that I could pass to SP. Is
> > this not the
> > > correct expectation? Maybe my Idp setup is not complete, even
> > though it
> > > seems to work?
> > >
> > > Thanks
> > >
> > >
> > > On Wed, Dec 21, 2011 at 5:56 PM, Cantor, Scott <cantor.2 at osu.edu
> > <mailto:cantor.2 at osu.edu>> wrote:
> > >>
> > >> For the sake of the list archive, the crash was in an old
> > log4shib version
> > >> that was fixed several years ago and has nothing to do with ECP in
> > >> particular.
> > >>
> > >> -- Scott
> > >>
> > >> --
> > >> To unsubscribe from this list send an email to
> > >> users-unsubscribe at shibboleth.net
> > <mailto:users-unsubscribe at shibboleth.net>
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list send an email to
> > > users-unsubscribe at shibboleth.net
> > <mailto:users-unsubscribe at shibboleth.net>
> >
> >
> >
> > --
> > Chad La Joie
> > www.itumi.biz <http://www.itumi.biz>
> > trusted identities, delivered
> > --
> > To unsubscribe from this list send an email to
> > users-unsubscribe at shibboleth.net
> > <mailto:users-unsubscribe at shibboleth.net>
> >
> >
> >
> >
> > --
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120102/80651f19/attachment.html
More information about the users
mailing list