Setting up ECP in shibboleth SP

Cantor, Scott cantor.2 at
Tue Jan 3 15:34:02 GMT 2012

On 1/2/12 6:15 PM, "Chad La Joie" <lajoie at> wrote:

>In my opinion, and Scott may disagree, but because the SAML spec does
>not actually cover authentication it also doesn't cover the case when
>authentication is done by an external system and fails.

The base spec says nothing about authentication at all, so you can't
assume anything. There is no interop as a result, and clients are
generally tied to specific IdP implementations. That said, there are some
obvious things to code support for, and basic-auth is one of them. Basic
auth does not result in a SOAP error, and there's nothing in ECP that
suggests you are doing authentication at the SOAP layer only. HTTP is also

The v2 ECP draft doesn't really change this, other than to call out the
requirement that certain authentication types be supported by the IdP and
client. Basic auth is definitely on that list. There is no standard spec
for doing "authentication" in SOAP, or anything that would define errors
in that realm. There was some Liberty work on that, but it never went
anywhere. So while it's possible to do that, and easy enough for a client
to handle, it's certainly not specified.

As Chad said, it's clearly the right thing for any client to handle errors
at each layer, not by assuming it happens in one. In ECP that means HTTP
and SOAP, by handling errors and faults. That's hardly all that difficult.

Finally, no, you cannot use the ExternalAuth handler. The ECP code doesn't
call into the AuthenticationEngine, it just looks for REMOTE_USER. We're
trying to fix all that in V3.

-- Scott

More information about the users mailing list