Returning an AuthnContextDecl using Sibboleth3 external auth

Stefan Santesson stefan at aaa-sec.com
Tue May 12 16:52:17 EDT 2015


Thanks,

A few final questions and comments;

On 12/05/15 19:38, "Cantor, Scott" <cantor.2 at osu.edu> wrote:

>On 5/12/15, 12:44 PM, "Stefan Santesson" <stefan at aaa-sec.com> wrote:
>>
>>This is included in an extension of the request.
>
>Ok, that would be an obvious exception to the "don't look at the SAML"
>rule.

I know, but here we really don’t have a choice. We are by necessity
carrying out a task that is extending what SAML implementations normally
do.
But it works, so I’m a happy camper.

>
>>The IdP should now (ideally) return a receipt that it actually showed the
>>data in the generated assertion. This to distinguish a conforming IdP
>>from
>>one that simply ignored the extension.
>
>Sure. I don't really think that's a use case for AuthnContext.

Interesting, and I’m starting to agree with you. Works in theory, but
without product support, we are toast.

>
>>I don¹t like the attribute path since we are using a data base to resolve
>>the attributes. I don¹t want to put this into the user database, because
>>it is not related to the user per se, just the authentication instant.
>
>Attributes can come from anywhere, not just a database, but regardless:

Yes, the source is not the issue. Binding it to a particular
authentication instant is.
But perhaps just because I don’t know all features of IdP V3 yet.

>>Is there any hope for us?
>
>Well, not unless you do what I mentioned, copy the flow and extend it
>with your own action(s). We designed the flows to be easy to add new
>features to, but that doesn't mean they have an endless number of hooks
>you can just plug into now. It's a small amount of code to add to do
>something new, but it's not possible to get it to run without copying the
>flow so it can be wired in.

I don’t know how to do that yet, but I’ll try to figure it out. If you
have any good pointers on info how this is done I’d be happy.

Finally, what is the intended mechanism for an external auth servlet to
communicate what ClassRef alt DeclRef it just performed, in order to get
it included in the assertion?
It was not evident to me in the wiki. Or is it: what was requested, is
what gets returned?  To me that is not always true. I could do better than
what was requested, or different but equivalent.

/Stefan 



>
>-- Scott
>




More information about the users mailing list