newbie question.

Cantor, Scott cantor.2 at osu.edu
Mon May 7 18:02:44 BST 2012


On 5/7/12 12:43 PM, "PARDEE, MARTIN  (MARTIN)" <mlp at research.att.com>
wrote:
>
>In using the LDAP authentication mechanism I modified the login.config
>file to point to my local LDAP server Using a my URL and baseDn. The user
>filter was specified as "uid={0}", which, without any further info I
>Assume to mean will get a user ID from an incoming SAML request somehow.

No, it means whatever the user supplies is searched against the uid
attribute in the directory to find the entry. This is standard LDAP
authentication config.

>I created a DataConnector in attribute-resolver.xml to access this ldap
>server, using my credentials as the "principal" .

The credentials of the connector are for a service account to access the
LDAP directory and have no connection to any user. Using a user account
with limited access will not work. Again, standard setup for LDAP
integration with an "application", the IdP in this case.

>The fact that this work is great. But it took me a while,  the specifics
>of what needed to go into the "principal" field were unclear at first.  I
>needed to use Wireshark to see the ldap traffic before I could figure it
>out.

If the wording in the documentation explaining the purpose of the fields
is unclear, that's concrete feedback.

>1) how does ldap tell the IdP if a login attempt fails?

JAAS error handling is messy. The U/P login handler has limited
information available, nothing much but the exception from the JAAS layer.
It, I believe, does expose that to the JSP page, but by default the page
doesn't use that to tailor anything.

> I don't see the details of the conversation between the external
>authenticator and shibboleth in any of the documentation pages I've read.
>The details of the exchange appear to be hidden from me (this is a good
>news/bad news proposition).

The login handler is what dictates how errors are displayed to the user in
the middle of the process.

>2) even though I've managed to make the SP "protect" a resource on my
>IIS7 server, the documentation tells me that the entityID I enter in the
>shibboleth2.xml file is just an identifier,  not a real URL.  So I don't
>fully understand how to tell the SP that I want "this particular jsp" or
>"all of the jsp's in this folder" to be protected by my authenticator.

See NativeSPProtectContent in the wiki. IIS has no htaccess-like feature,
so you have to use the RequestMap to do all that. Generally speaking, you
create Path elements in the map and stick requireSession="true" inside
them. The specifics depend on what you're doing.

>3) by extension: in trying to understand how to use the handler.xml file
>to use an external authentication mechanism via the LoginHandler element,
>It is not clear how to accomplish several things.  Firstly:  How does a
>person identify the required custom JSP to the handler? There doesn't
>seem to be a place for the JSP's URL in this element.

Quoting the docs:
externalAuthnPath - context-relative path to the Filter, Servlet, or JSP
used to interact with the external authentication system


> Second:  it isn't clear to me what the "HTTPServletRequest attributes"
>are.

Standard Java servlet concept.

>  Is this a reference to the
>attributes mentioned later?  (forceAuthn, IsPassive, authnMethod,
>relyingParty).

No.

> This seems likely as the interface document mentioned:
>
>http://shibboleth.internet2.edu/javadocs/2.1.3/apidocs/edu/internet2/middl
>eware/shibboleth/idp/authn/class-use/LoginHandler.html
>
>doesn't mention any available setters for attributes.

Because that's a Java servlet notion, it isn't specific to the IdP.

>4) it seems odd (to me) that there isn't a way for me to tell the IdP
>whether or not this external authentication process that I have invoked
>has succeeded or failed.

Quoting:
"Once completed, the custom-developed code must then set the
HttpServletRequest attributes required by the
edu.internet2.middleware.shibboleth.idp.authn.LoginHandler interface and
invoke 
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine#returnTo
AuthenticationEngine(HttpServletRequest,HttpServletResponse."


-- Scott



More information about the users mailing list