Turn off SSO login for some contextClassRef URIs
Cantor, Scott
cantor.2 at osu.edu
Wed May 20 10:42:10 EDT 2015
On 5/20/15, 11:14 AM, "Stefan Santesson" <stefan at aaa-sec.com> wrote:
>I have 2 ContextClassRef URI:s that are configured for External
>authentication.
>
>One of the ClassRefs means that the IdP MUST present some information to
>the user and thus, SSO authentication is not permitted.
>For the other ClassRef, SSO based on previous session is allowed.
>
>How can I configure Shib3 IdP so that if ClassRef 1 is requested, External
>is always called disregarding previous authentication, and for ClassRef 2,
>External is used but SSO is allowed?
There's a bean called "shibboleth.authn.External.resultCachingPredicate"
that can be defined to a Predicate object and will control whether the IdP
will actually remember the AuthenticationResult returned from an External
login. If it returns false, the result may be used once but then will be
thrown away, so the next time a request for that context class comes in,
it won't have one in the session to reuse.
To use a single flow for both, that predicate would have to be able to
tell what the answer should be.
But it is simpler to just return this explicitly from the External code if
that's an option. ExternalAuthentication.DONOTCACHE_KEY is the request
attribute to signal that. I thought that was documented, I'll see if I
forgot to include it.
-- Scott
More information about the users
mailing list