External authentication on a different system than the IdP
Peter Schober
peter.schober at univie.ac.at
Thu Jul 25 09:50:08 EDT 2013
* Ian Rifkin <irifkin at brandeis.edu> [2013-07-25 14:21]:
> > You are *not* describing the ExternalAuthn login handler here (which
> > is the topic at hand), you're talking about the RemoteUser login
> > handler. While that also allows to "externalize" authentication the
> > implementation and the flows talked about above are very different.
>
> Good point, Peter. That is correct. My example is a way to use an external
> authentication mechanism using the RemoteUser login handler. I read (or
> mis-read?) the original question as being more general than tied to a
> particular approach. If I was mistaken I apologize for confusing things!
If you want or need to support isPassive (prevent interaction with the
user agent when there is no session at the IDP) and forcedAuthn
(require reauthentication at the IdP even if a session exists) you
can't use the RemoteUser login handler. The easiest way to support
those then is to use the ExternalAuthn login handler, which requires a
bit more integration work than just putting the IdP behind httpd with
mod_cosign.
-peter
More information about the users
mailing list