shib-cas-authn2 and forceAuthn
Scott Koranda
skoranda at gmail.com
Mon Sep 8 23:37:35 EDT 2014
Hello,
I have deployed the current version of shib-cas-authn2 with the
Shibboleth IdP 2.4.0 and CAS 4.0.0 following the instructions at
https://github.com/Unicon/shib-cas-authn2
Delegation to CAS appears to be working fine. The CAS login handler is
the only login handler defined in handler.xml (outside of the previous
session handler--I understand the implications of leaving that defined
and it will most likely be removed later) and the standard
authentication flow is working as expected.
The attraction of the shib-cas-authn2 approach over the REMOTE_USER
approach is support for SAML2 forced reauthentication and isPassive.
I do not, however, see any instructions at
https://github.com/Unicon/shib-cas-authn2
on how to configure the login handler to support either forced
reauthentication or isPassive.
I decided to simply try it and used a Shibboleth SP and the Native SP
session creation parameter 'forceAuthn=1'. This resulted in a SAML
error sent by the IdP and the log message
"Force authentication requested but no login handlers available to support it".
How do I configure shib-cas-authn2 to respond appropriately to
AuthnRequests with forced reauthentication or isPassive?
I also looked in detail at the code for CasLoginHandler. I expected
that during the constructor call I would see
setSupportsForceAuthentication()
and
setSupportsPassive()
They are not invoked there but instead are invoked during login().
Will that work? I would have thought that the IdP needs to know at the
time it creates the login handler whether or not it supports forced
reauthentication and isPassive. What am I missing?
Thanks,
Scott K
More information about the users
mailing list