Turn off SSO login for some contextClassRef URIs
Stefan Santesson
stefan at aaa-sec.com
Wed May 20 11:39:44 EDT 2015
Thanks Scott,
Is the session cache strictly tied to the ClassRef?
I still want authenticaiton using ClassRef 1 to allow session to be cached.
So if authn is requested with ClassRef 2, then that cache from ClassRef 1
is not valid.
Think, that is the case, but just checking.
If the caching is separated, then I think your solution would work for me.
/Sefan
On 20/05/15 16:42, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>On 5/20/15, 11:14 AM, "Stefan Santesson" <stefan at aaa-sec.com> wrote:
>
>
>
>>I have 2 ContextClassRef URI:s that are configured for External
>>authentication.
>>
>>One of the ClassRefs means that the IdP MUST present some information to
>>the user and thus, SSO authentication is not permitted.
>>For the other ClassRef, SSO based on previous session is allowed.
>>
>>How can I configure Shib3 IdP so that if ClassRef 1 is requested,
>>External
>>is always called disregarding previous authentication, and for ClassRef
>>2,
>>External is used but SSO is allowed?
>
>There's a bean called "shibboleth.authn.External.resultCachingPredicate"
>that can be defined to a Predicate object and will control whether the
>IdP
>will actually remember the AuthenticationResult returned from an External
>login. If it returns false, the result may be used once but then will be
>thrown away, so the next time a request for that context class comes in,
>it won't have one in the session to reuse.
>
>To use a single flow for both, that predicate would have to be able to
>tell what the answer should be.
>
>But it is simpler to just return this explicitly from the External code
>if
>that's an option. ExternalAuthentication.DONOTCACHE_KEY is the request
>attribute to signal that. I thought that was documented, I'll see if I
>forgot to include it.
>
>-- Scott
>
>--
>To unsubscribe from this list send an email to
>users-unsubscribe at shibboleth.net
More information about the users
mailing list