Need to modify AuthnContextClassRef in ExternalAuth
Stefan Santesson
stefan at aaa-sec.com
Fri Dec 18 13:10:56 EST 2015
Hi Scott,
I’m trying to find information about how to do what you suggest.
>
>You have to turn that off (set shibboleth.authn.External.addDefaultPrincipals to java.lang.Boolean.FALSE) and change that code to add the specific AuthnContextClassRefPrincipal you want it to carry back.
I suppose this is done in external-auth-config.xml
Would this work?
<util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.FALSE" />
>
>>The effect of this is that if e,g, "http://id.elegnamnden.se/loa/1.0/loa2-sigmessage” is requested, then this is the context class ref returned in the assertion, given that authentication succeeded.
>
>That will happen, but that's because it sees all three values in the Subject's principal set, and picks the one to return that satisfies the original request.
>
>>How can I accept a request with no requested class ref, and determine in the ExternalAuthn servlet, which should be returned?
>
>By adding the ones you specifically want included and turning off the auto-add setting.
I assume this is done in the Java servlet code when constructing the Subject object.
This is what I currently do:
Principal principal = new UsernamePrincipal(principalName);
Subject subj = new Subject();
subj.getPrincipals().add(principal);
request.setAttribute(ReturnAttr.principalName.name(), principalName);
request.setAttribute(ReturnAttr.principal.name(), principal);
request.setAttribute(ReturnAttr.subject.name(), subj);
How do I add the selected AuthnContextClassRef URI?
Sorry if this should be obvious, but if you have any info or examples to point me to, you would save me a lot of research.
/Stefan
>
More information about the users
mailing list