Question on Login Handlers
Christopher Bongaarts
cab at umn.edu
Thu Aug 22 17:34:04 EDT 2013
On 8/22/2013 4:18 PM, Brewer, Edward L wrote:
> *One possibility would be to use two login handlers, one configured
> for LDAP1 (default) and one for LDAP2 (selectable with a particular
> *authentication method you dream up). Then ask the new app to request
> that authentication method (or define a separate RelyingParty for them
> with *that as their default auth method).
>
> I thought I could, but I was having a hard time figuring out how that
> would work. Currently I have two login handlers configured.. one of
> type UserPassword and the other PreviousSession. So, can I create
> another login handler like UserPassord.. with a different login config
> file? How would I add it to the handler.xml?
See https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
for specifics and gotchas:
Duplicate the existing UserPassword login handler definition, and change
the jassConfigurationLocation attribute to the alternate configuration
file (this is the part I'm not sure about since I don't use it myself,
there might be issues with this...) and change the AuthenticationMethod
element content to be the alternate name you make up (since it's a URI,
using https://www.vanderbilt.edu/shibboleth/authmethods/xxxxx might be a
good name). Use this name in your RelyingParty for the rogue SP in the
defaultAuthMethod attribute. The wiki page also says you might need an
"init" parameter to the servlet definition in web.xml if you want your
made-up auth method identified in the SAML response to the SP.
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130822/6a159a2e/attachment.html
More information about the users
mailing list