Need to modify AuthnContextClassRef in ExternalAuth
stefan at aaa-sec.com
Fri Dec 18 13:10:56 EST 2015
I’m trying to find information about how to do what you suggest.
>You have to turn that off (set shibboleth.authn.External.addDefaultPrincipals to java.lang.Boolean.FALSE) and change that code to add the specific AuthnContextClassRefPrincipal you want it to carry back.
I suppose this is done in external-auth-config.xml
Would this work?
<util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.FALSE" />
>>The effect of this is that if e,g, "http://id.elegnamnden.se/loa/1.0/loa2-sigmessage” is requested, then this is the context class ref returned in the assertion, given that authentication succeeded.
>That will happen, but that's because it sees all three values in the Subject's principal set, and picks the one to return that satisfies the original request.
>>How can I accept a request with no requested class ref, and determine in the ExternalAuthn servlet, which should be returned?
>By adding the ones you specifically want included and turning off the auto-add setting.
I assume this is done in the Java servlet code when constructing the Subject object.
This is what I currently do:
Principal principal = new UsernamePrincipal(principalName);
Subject subj = new Subject();
How do I add the selected AuthnContextClassRef URI?
Sorry if this should be obvious, but if you have any info or examples to point me to, you would save me a lot of research.
More information about the users