Forced Authn and IdPUnsolicitedSSO
Tom Scavo
trscavo at gmail.com
Mon Aug 4 20:08:24 EDT 2014
On Mon, Aug 4, 2014 at 4:55 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 8/4/14, 4:27 PM, "Mike Wiseman" <mike.wiseman at utoronto.ca> wrote:
>
>>We are working on integrating an IBM DataPower appliance with our websso
>>environment (which is shib idp 2.3.8). The plan is to use
>>IdPUnsolicitedSSO since the DataPower, from my knowledge at the moment,
>>does not support generating SAML requests. There is a requirement to
>>support forced authn though. Is it possible, besides via the SAML
>>request, to force authn at the idp via the idpunsolicitedsso transaction?
>
> Nope. You can spoof a request, or you can create your own protocol to do
> anything you want by create an alternative version of the
> UnsolicitedSSODecoder class and plugging that into the handler.xml file.
I'll add my two cents...it's much easier to "spoof a request" as Scott
calls it. Just send an AuthnRequest to the IdP as though it had come
from the DataPower itself. That may sound easier than it actually is
but implementing a new handler to accomplish this at the IdP is
certainly much more difficult.
Tom
More information about the users
mailing list