Authorization using shibboleth sso

Surinaidu Majji pioneer.suri at gmail.com
Mon Dec 8 01:32:56 EST 2014


Thank you @Peter,
As you said, to release the attributes, we are defining them in the
attribute-resolver without having Data Connector(for principle), that's
why, we are getting the data(Principal data) at SP side. but before that we
are querying our database by sending the log.in jsp credentials and getting
the response and sending them to the Authenticationengine.

The indended way to get the needed information into the IDP is via the
attribute resolver (and release it in the filter), not from the
login handler.

So from the above req.setAttribute(LoginHandler.Principla, attributes);
is going to the IDP again, Is it not like getting the attributes through
IDP?



On Mon, Dec 1, 2014 at 5:02 PM, Peter Schober <peter.schober at univie.ac.at>
wrote:

> * Surinaidu Majji <pioneer.suri at gmail.com> [2014-12-01 12:14]:
> > -> So here we are getting the permissions from our server and send it to
> > the idp by AuthenticationEngine.returnToAuthenticationEngine(req,resp);
> by
> > setting the permissions in the request as an attribute.
>
> OK, I'm beginning to see what you keep going on about the external
> authentication login handler, that's where you're intending to perform
> authorization?  If that's so, don't do that, this is meant to
> exernalize /authentication/ from the IDP. Authorization should be
> handled at the SP, based on attributes released by the IDP.
> The indended way to get the needed information into the IDP is via the
> attribute resolver (and release it in the filter), not from the
> login handler. Same as for any other attribute.
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141208/0f4461d2/attachment.html 


More information about the users mailing list