Setting up ECP in shibboleth SP
Eric Dalquist
eric.dalquist at doit.wisc.edu
Tue Jan 3 02:36:44 GMT 2012
What are you using for an ECP client right now? Various uPortal
associated portlets support ECP for delegated authentication. You can
see source for the library that enables this here:
https://source.jasig.org/sandbox/delegated-saml-authentication/trunk/
The idea is that the library provides a customized commons-httpclient
3.1 HttpClient class which sets the correct PAOS header and content type
to notify the SP that ECP is supported by the client. If the SP provides
the correct response the library handles the auth and the result is a
HttpState which contains all the shib cookies and such.
Another developer wrote the initial code but I've done a lot of
maintenance on the library since then.
-Eric
On 1/2/12 5:55 PM, Anand Somani wrote:
> But if I use the SSO browser profile, on auth failure I get redirected
> back to SP with a message that access was denied.
>
> I understand that with the container based approach it is not possible
> to do this, but why is it that Shibboleth (for ECP profile) uses the
> container auth
> (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthRemoteUser)
> and not the external auth
> (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthExternal). It
> seems like with ExternalAuth it would be possible to return a SOAP
> error instead of 401.
>
> What would be the best thing to do, if I wanted to write a ECP Client
> then, I mean if things are not in the spec then it would almost depend
> on the IDP implementation which would force the client to be
> customizable and hence a headache to maintain?
>
>
> On Mon, Jan 2, 2012 at 3:15 PM, Chad La Joie <lajoie at shibboleth.net
> <mailto:lajoie at shibboleth.net>> wrote:
>
> In my opinion, and Scott may disagree, but because the SAML spec does
> not actually cover authentication it also doesn't cover the case when
> authentication is done by an external system and fails.
>
> In a perfect world, I would want the IdP to return a SAML error saying
> authentication failed. But there is no way to actually do that
> when you
> call out to another system and it never returns control back to
> the IdP.
>
> On 1/2/12 6:08 PM, Anand Somani wrote:
> > So is response (for auth failure in case of ECP) within the spec
> or not?
> > The reason I ask is if our customer wants to use another Idp,
> would our
> > ECP code be different because it handles the credential validation
> > differently so instead of a 401, it returns a proper SOAP with
> auth denied.
> >
> > Thanks
> >
> >
> >
> > On Fri, Dec 30, 2011 at 3:56 PM, Chad La Joie <lajoie at itumi.biz
> <mailto:lajoie at itumi.biz>
> > <mailto:lajoie at itumi.biz <mailto:lajoie at itumi.biz>>> wrote:
> >
> > That is the expected behavior currently. Authentication occurs
> > outside the IdP so its the web server or servlet container
> giving you
> > that error.
> >
> > On Fri, Dec 30, 2011 at 18:35, Anand Somani
> <meatforums at gmail.com <mailto:meatforums at gmail.com>
> > <mailto:meatforums at gmail.com <mailto:meatforums at gmail.com>>> wrote:
> > > Follow up question on the setup for ECP. Everything seems to
> work as
> > > expected for a successful login, but for a bad password the client
> > gets a
> > > 401 and a html response body, I would have expected a SOAP
> > response/fault
> > > (from Idp) with a rejection/denied that I could pass to SP. Is
> > this not the
> > > correct expectation? Maybe my Idp setup is not complete, even
> > though it
> > > seems to work?
> > >
> > > Thanks
> > >
> > >
> > > On Wed, Dec 21, 2011 at 5:56 PM, Cantor, Scott
> <cantor.2 at osu.edu <mailto:cantor.2 at osu.edu>
> > <mailto:cantor.2 at osu.edu <mailto:cantor.2 at osu.edu>>> wrote:
> > >>
> > >> For the sake of the list archive, the crash was in an old
> > log4shib version
> > >> that was fixed several years ago and has nothing to do with
> ECP in
> > >> particular.
> > >>
> > >> -- Scott
> > >>
> > >> --
> > >> To unsubscribe from this list send an email to
> > >> users-unsubscribe at shibboleth.net
> <mailto:users-unsubscribe at shibboleth.net>
> > <mailto:users-unsubscribe at shibboleth.net
> <mailto:users-unsubscribe at shibboleth.net>>
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list send an email to
> > > users-unsubscribe at shibboleth.net
> <mailto:users-unsubscribe at shibboleth.net>
> > <mailto:users-unsubscribe at shibboleth.net
> <mailto:users-unsubscribe at shibboleth.net>>
> >
> >
> >
> > --
> > Chad La Joie
> > www.itumi.biz <http://www.itumi.biz> <http://www.itumi.biz>
> > trusted identities, delivered
> > --
> > To unsubscribe from this list send an email to
> > users-unsubscribe at shibboleth.net
> <mailto:users-unsubscribe at shibboleth.net>
> > <mailto:users-unsubscribe at shibboleth.net
> <mailto:users-unsubscribe at shibboleth.net>>
> >
> >
> >
> >
> > --
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> <mailto:users-unsubscribe at shibboleth.net>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> <mailto:users-unsubscribe at shibboleth.net>
>
>
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120102/62125020/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7430 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20120102/62125020/attachment-0001.bin
More information about the users
mailing list