cantor.2 at osu.edu
Thu Nov 29 15:57:52 EST 2012
On 11/29/12 3:41 PM, "Kevin P. Foote" <kpfoote at iup.edu> wrote:
>I have set up the ExternalAuth handler in my config file. From what I
>read my auth script code, whatever it is based on openid or something
>else, needs to POST back a mocked up assertion to the location specified
>in the handler definition. Once this is POSTed back then the SP acts as
>normal and process the mocked assertion just as it does ones coming in
>from an IdP .. obviously minus the security checks etc.
>Am I conceptualizing the ExternalAuth handler correctly here?
I wouldn't say that it processes it "normally", exactly, but I guess
that's basically true. All of the steps involved in turning an assertion
into a set of data about the user in a session is basically the same.
>Am I correct in thinking I do not need any other SessionInitiator
>elements to use this?
Yes, in the sense that it's out of scope. I did not attempt to create a
mechanism that would "initiate" whatever flow is being used, and am
assuming that you are doing that as part of some discovery step yourself.
The existing discovery related handlers are supposed to be sufficient to
do something useful.
For example, if your discovery interface includes an option on it that
triggers Google, the SP never knows about it until you finish that process
and tell it at the end. Whereas in the SAML case, the discovery UI
redirects back into the SP to get it to generate the request.
More information about the users