External authentication on a different system than the IdP
Ian Rifkin
irifkin at brandeis.edu
Wed Jul 24 12:44:10 EDT 2013
Hi,
In my example…
1.) User hits SP protected endpoint.
>
Yes…
> 2.) Redirect to IdP.
>
Redirected to IdP server, but doesn't reach the actual IdP yet…
> 3.) External auth handler takes over.
>
Yes, this is where mod_cosign comes into play for me
> 4.) Redirect to external authentication system.
>
mod_cosign then redirects to the SSO URL
> 5.) External authentication.
>
This happens…
> 6.) Redirect back to IdP with success/failure.
>
If failure for us, it displays the error on the SSO page. If success, it
gets backs to the IdP server and passes the username to the IdP. This is
the first time Shibboleth knows anything about this login. It then does
it's Shib stuff.
> 7.) Redirect to original SP protected endpoint if success.
>
Yes, but there's no if success here for us. At this point Shib is just
looking up attributes and sends the XML back to the SP. The SP decides if
the authorization is successful.
In my example I'm using mod_cosign, but you could have custom software
doing something similar.
Hope that's helpful.
Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130724/8973161b/attachment.html
More information about the users
mailing list