Turn off SSO login for some contextClassRef URIs

Cantor, Scott cantor.2 at osu.edu
Wed May 20 10:42:10 EDT 2015

On 5/20/15, 11:14 AM, "Stefan Santesson" <stefan at aaa-sec.com> wrote:

>I have 2 ContextClassRef URI:s that are configured for External
>One of the ClassRefs means that the IdP MUST present some information to
>the user and thus, SSO authentication is not permitted.
>For the other ClassRef, SSO based on previous session is allowed.
>How can I configure Shib3 IdP so that if ClassRef 1 is requested, External
>is always called disregarding previous authentication, and for ClassRef 2,
>External is used but SSO is allowed?

There's a bean called "shibboleth.authn.External.resultCachingPredicate" 
that can be defined to a Predicate object and will control whether the IdP 
will actually remember the AuthenticationResult returned from an External 
login. If it returns false, the result may be used once but then will be 
thrown away, so the next time a request for that context class comes in, 
it won't have one in the session to reuse.

To use a single flow for both, that predicate would have to be able to 
tell what the answer should be.

But it is simpler to just return this explicitly from the External code if 
that's an option. ExternalAuthentication.DONOTCACHE_KEY is the request 
attribute to signal that. I thought that was documented, I'll see if I 
forgot to include it.

-- Scott

More information about the users mailing list