Understanding on the Authentication methods and the LoginHandlers

Cantor, Scott cantor.2 at osu.edu
Thu May 28 09:23:32 EDT 2015

On 5/28/15, 10:36 AM, "sarath upadrista" <upadrista.sarath at gmail.com> 

>1) What is the difference between the AuthenticationMethod and the 

A method is the string used in SAML to identify the type of 
authentication, and the LoginHandler is the IdP plugin that handles the 
login process.

>2) Are the AuthenticationMethod and LoginHandler tightly coupled?

In practice it's impossible to avoid coupling them with most of the 
built-in handlers. They're not coupled in the design, but the handlers all 
have to be hardwired to return a specific method string, making the 
ability to associate more than one with the handler brittle and unworkable 
in practice unless you build a custom login handler or use External.

>According to my understanding the SP will prepare a SAML request to the 
>IDP. In the SAML request "AuthnContextClassRef"  contains what kind of 
>Authentication method which it follows (PasswordProtectedTransport).

It can. That will make the interaction much more complex and should only 
be done if you really need to, and you should almost never request 
Password as a method. That's basically telling an IdP that it shouldn't do 
anything better even if it can, which is a silly thing to do unless you're 
in a scenario where you're being billed for stronger methods and don't 
want to incur the cost.

>Now below are few more questions which I have got:
>1) Will the IDP be able to support multiple LoginHandlers?

Sometimes, it depends on what you're doing and which ones and what they're 
supposed to do.

>2) Because I want to use the X.509 authentication method  with 
>ExternalAuthentication, How can it be done with ExternalAuthentication?

I don't know what you're asking. External is entirely your code, it can do 
whatever it's programmed to do. If you implement it correctly, you can 
make it handle any number of methods. You're supposed to signal the method 
used in a request attribute, I believe.

-- Scott

More information about the users mailing list