Understanding on the Authentication methods and the LoginHandlers
cantor.2 at osu.edu
Thu May 28 09:23:32 EDT 2015
On 5/28/15, 10:36 AM, "sarath upadrista" <upadrista.sarath at gmail.com>
>1) What is the difference between the AuthenticationMethod and the
A method is the string used in SAML to identify the type of
authentication, and the LoginHandler is the IdP plugin that handles the
>2) Are the AuthenticationMethod and LoginHandler tightly coupled?
In practice it's impossible to avoid coupling them with most of the
built-in handlers. They're not coupled in the design, but the handlers all
have to be hardwired to return a specific method string, making the
ability to associate more than one with the handler brittle and unworkable
in practice unless you build a custom login handler or use External.
>According to my understanding the SP will prepare a SAML request to the
>IDP. In the SAML request "AuthnContextClassRef" contains what kind of
>Authentication method which it follows (PasswordProtectedTransport).
It can. That will make the interaction much more complex and should only
be done if you really need to, and you should almost never request
Password as a method. That's basically telling an IdP that it shouldn't do
anything better even if it can, which is a silly thing to do unless you're
in a scenario where you're being billed for stronger methods and don't
want to incur the cost.
>Now below are few more questions which I have got:
>1) Will the IDP be able to support multiple LoginHandlers?
Sometimes, it depends on what you're doing and which ones and what they're
supposed to do.
>2) Because I want to use the X.509 authentication method with
>ExternalAuthentication, How can it be done with ExternalAuthentication?
I don't know what you're asking. External is entirely your code, it can do
whatever it's programmed to do. If you implement it correctly, you can
make it handle any number of methods. You're supposed to signal the method
used in a request attribute, I believe.
More information about the users