Turn off SSO login for some contextClassRef URIs

Stefan Santesson stefan at aaa-sec.com
Wed May 20 11:39:44 EDT 2015

Thanks Scott,

Is the session cache strictly tied to the ClassRef?

I still want authenticaiton using ClassRef 1 to allow session to be cached.
So if authn is requested with ClassRef 2, then that cache from ClassRef 1
is not valid.

Think, that is the case, but just checking.

If the caching is separated, then I think your solution would work for me.


On 20/05/15 16:42, "Cantor, Scott" <cantor.2 at osu.edu> wrote:

>On 5/20/15, 11:14 AM, "Stefan Santesson" <stefan at aaa-sec.com> wrote:
>>I have 2 ContextClassRef URI:s that are configured for External
>>One of the ClassRefs means that the IdP MUST present some information to
>>the user and thus, SSO authentication is not permitted.
>>For the other ClassRef, SSO based on previous session is allowed.
>>How can I configure Shib3 IdP so that if ClassRef 1 is requested,
>>is always called disregarding previous authentication, and for ClassRef
>>External is used but SSO is allowed?
>There's a bean called "shibboleth.authn.External.resultCachingPredicate"
>that can be defined to a Predicate object and will control whether the
>will actually remember the AuthenticationResult returned from an External
>login. If it returns false, the result may be used once but then will be
>thrown away, so the next time a request for that context class comes in,
>it won't have one in the session to reuse.
>To use a single flow for both, that predicate would have to be able to
>tell what the answer should be.
>But it is simpler to just return this explicitly from the External code
>that's an option. ExternalAuthentication.DONOTCACHE_KEY is the request
>attribute to signal that. I thought that was documented, I'll see if I
>forgot to include it.
>-- Scott
>To unsubscribe from this list send an email to
>users-unsubscribe at shibboleth.net

More information about the users mailing list