Question on Login Handlers

Christopher Bongaarts cab at umn.edu
Thu Aug 22 17:34:04 EDT 2013


On 8/22/2013 4:18 PM, Brewer, Edward L wrote:
> *One possibility would be to use two login handlers, one configured 
> for LDAP1 (default) and one for LDAP2 (selectable with a particular 
> *authentication method you dream up).  Then ask the new app to request 
> that authentication method (or define a separate RelyingParty for them 
> with *that as their default auth method).
>
> I thought I could, but I was having a hard time figuring out how that 
> would work.  Currently I have two login handlers configured.. one of 
> type UserPassword and the other PreviousSession.  So, can I create 
> another login handler like UserPassord.. with a different login config 
> file?  How would I add it to the handler.xml?

See https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass 
for specifics and gotchas:

Duplicate the existing UserPassword login handler definition, and change 
the jassConfigurationLocation attribute to the alternate configuration 
file (this is the part I'm not sure about since I don't use it myself, 
there might be issues with this...) and change the AuthenticationMethod 
element content to be the alternate name you make up (since it's a URI, 
using https://www.vanderbilt.edu/shibboleth/authmethods/xxxxx might be a 
good name).  Use this name in your RelyingParty for the rogue SP in the 
defaultAuthMethod attribute.  The wiki page also says you might need an 
"init" parameter to the servlet definition in web.xml if you want your 
made-up auth method identified in the SAML response to the SP.

-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130822/6a159a2e/attachment.html 


More information about the users mailing list