ADFS + Shib 2 Idp + CAS
Michael A Grady
mgrady at unicon.net
Fri May 1 15:36:33 EDT 2015
On May 1, 2015, at 2:24 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 5/1/15, 2:14 PM, "seth underhill" <seth.underhill at cuw.edu> wrote:
>
>> I am not sure why this is so. Does the CAS authentication filter use
>> PasswordProtectedTransport no matter what I would specify in my RemoteUser
>> filter in handler.xml?
>
> What causes a particular handler to run (that's in handler.xml) and what a handler is actually coded to return (very dependent on the handler) are actually separate things.
>
> The built-in handlers are not designed to deal with multiple login methods in handler.xml at the same time because they only know how to return a single one. You can get the IdP to run them, but then they'll just fail when the mismatch is picked up. Usually I guess people just don't notice because the SP doesn't care and doesn't ask for anything, so whatever comes back just works.
>
> The RemoteUser handler will return the context class that's set in a servlet init parameter (authenticationMethod) or it will just return the PPT context by default. You can tell it to return Microsoft's and risk breaking anything that asks for PPT, basically.
>
> The only way you can handle both at the same time is with two copies of the handler configured at different locations and with different method configurations.
>
> -- Scott
>
See the discussion on multiple RemoteUser handlers in the following back in 2010:
https://lists.internet2.edu/sympa/arc/shibboleth-users/2010-03/msg00429.html
--
Michael A. Grady
Senior IAM Consultant, Unicon, Inc.
More information about the users
mailing list