ADFS + Shib 2 Idp + CAS

Michael A Grady mgrady at
Fri May 1 15:36:33 EDT 2015

On May 1, 2015, at 2:24 PM, Cantor, Scott <cantor.2 at> wrote:

> On 5/1/15, 2:14 PM, "seth underhill" <seth.underhill at> wrote:
>> I am not sure why this is so. Does the CAS authentication filter use
>> PasswordProtectedTransport no matter what I would specify in my RemoteUser
>> filter in handler.xml?
> What causes a particular handler to run (that's in handler.xml) and what a handler is actually coded to return (very dependent on the handler) are actually separate things.
> The built-in handlers are not designed to deal with multiple login methods in handler.xml at the same time because they only know how to return a single one. You can get the IdP to run them, but then they'll just fail when the mismatch is picked up. Usually I guess people just don't notice because the SP doesn't care and doesn't ask for anything, so whatever comes back just works.
> The RemoteUser handler will return the context class that's set in a servlet init parameter (authenticationMethod) or it will just return the PPT context by default. You can tell it to return Microsoft's and risk breaking anything that asks for PPT, basically.
> The only way you can handle both at the same time is with two copies of the handler configured at different locations and with different method configurations.
> -- Scott

See the discussion on multiple RemoteUser handlers in the following back in 2010:

Michael A. Grady
Senior IAM Consultant, Unicon, Inc.

More information about the users mailing list