Need to modify AuthnContextClassRef in ExternalAuth

Stefan Santesson stefan at aaa-sec.com
Mon Dec 21 14:35:25 EST 2015 

On 21/12/15 20:13, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:



>On 12/21/15, 2:00 PM, "users on behalf of Stefan Santesson" <users-bounces at shibboleth.net on behalf of stefan at aaa-sec.com> wrote:
>
>
>
>>This is a standard auth/External flow (if that counts as a standard flow).
>
>I'm not talking about your login flow, I'm talking about what's calling it.

It’s pretty standard for authn/External (I assume). Set by the following:

In idp.properties:
idp.authn.flows= External


In general-authn.xml:
        <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
            p:nonBrowserSupported="false" 
            p:passiveAuthenticationSupported="true"
            p:forcedAuthenticationSupported="true">
            <property name="supportedPrincipals">
                <util:list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa2"/>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa3"/>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa4"/>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa2-sigmessage"/>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa3-sigmessage"/>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://id.elegnamnden.se/loa/1.0/loa4-sigmessage"/>
                </util:list>
            </property>
        </bean>



In external-authn-config.xml

    <util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.FALSE" />



In Java (external auth servlet:
            Principal principal = new UsernamePrincipal(principalName);
            Principal accPrincipal = new AuthnContextClassRefPrincipal(responseLoa.getLoaUri());
            Subject subj = new Subject();
            Set<Principal> principals = subj.getPrincipals();
            principals.add(principal);
            principals.add(accPrincipal);
request.setAttribute(ReturnAttr.subject.name(), subj);




>
>>The result is that my IdP does not store any cookie, nor any web storage in my web browser.
>
>It doesn't get far enough to store anything, the save operation would be later at the end.

OK
>
>>How do can I perform the “load” step required?
>
>You don't.
>
>You're going to have turn on debug logging for at least the IdP classes and org.opensaml.storage and provide a trace.


I turned about everything to DEBUG. It did not give me any extra hints.

    <variable name="idp.loglevel.idp" value="DEBUG" />
    <variable name="idp.loglevel.ldap" value="WARN" />
    <variable name="idp.loglevel.messages" value="DEBUG" />
    <variable name="idp.loglevel.encryption" value="INFO" />
    <variable name="idp.loglevel.opensaml" value="DEBUG" />


/Stefan


>

More information about the users mailing list