Setting up ECP in shibboleth SP

Chad La Joie lajoie at
Tue Jan 3 00:36:31 GMT 2012

On 1/2/12 7:25 PM, Anand Somani wrote:
> I am using Shibboleth IDP with external auth and am able to get this
> behavior, so not sure if this is just a coincidence (because of some
> misconfiguration or incorrect coding) or what?

I'd have to look at the external authn code again.  It certainly does
have more capabilities to feed information back in to the IdP.  I
generally don't think about it just because it's pretty new.

> I have not tried it yet, but if I configured using ExternalAuth would
> shib Idp prevent me for the ECP profile case?

I honestly don't know, you'll have to look at the code.  If it calls out
to the authentication engine then you could use the external authn login
handler.  If it's hard coded to just look at the remote user, then no.

> Its not about robust code for the well defined protocol, but more about
> open API (for authentication) which makes this more of customization
> based on the customer's IDP and hence a potential headache for
> maintenance.  I am just trying to get a feel for what to expect based on
> your experience.

You asked what the best thing to do, if you were writing a client.  I
think the best thing to do is to handle the errors that you might
encounter, regardless of what layer in the stack they occur in.

In terms of authentication specifically, yeah, welcome to the
non-browser world.  There is nothing even close to a widely implemented
standard once you leave HTTP BASIC auth.

More information about the users mailing list