Understanding on the Authentication methods and the LoginHandlers
sarath upadrista
upadrista.sarath at gmail.com
Fri May 29 04:02:54 EDT 2015
>> A method is the string used in SAML to identify the type of
authentication,
- Could you please explain in detail, what is meant by the Type of
authentication. Is it the process, on how to send the SAML response back to
SP?
- Or How the principal has to be sent in the SAML response (ie.., the
level of encoding)?
What will the IDP do, If I send the authentication method as
PasswordProtectedTransport?
>> That's basically telling an IdP that it shouldn't do
>>anything better even if it can,
- If I doesn't send any authentication method, then How will the IDP know
for that SP what authentication method it has to choose based on the SAML
request to IDP?
>>Sometimes, it depends on what you're doing and which ones and what they're
supposed to do.
- Can you please explain in brief, with built in LoginHandler and
authentication method How can I use multiple LoginHandlers at a stretch for
each SAML request from SP?
>> If you implement it correctly, you can
make it handle any number of methods.
- In this case, if I am using the ExternalAuthn type LoginHandler, it will
do the authentication from our own Authentication System( basically it will
make a rest call) and send the principal, subject etc back to the
AunticationEngine servlet to prepare the SAML response. So, now If I want
to do the X.509 authentication method, what can be done. Please guide me.
- What will the X.509 authentication method be doing?.
- Will it basically tell How to sign the prncipal ?
Requirement in detail:
I am using the ExternalAuthn type LoginHandler with
PasswordProtectedTransport as authentication method. I am using
ExternalAuthn because we have over own Authentication system which can be
requested using the rest call. This will be done by our ExternalAuthn
LoginHandler. After successful authentication, Sending the PrincipalKey,
PrincipalName, Subject etc back to the AuthenticationEngine servlet for
SAML response. Now here are my requirements:
- In the current system we are not using any Certificates for the SAML
messages.
- How can it be done?
On Thu, May 28, 2015 at 6:53 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 5/28/15, 10:36 AM, "sarath upadrista" <upadrista.sarath at gmail.com>
> wrote:
>
>
> >
> >1) What is the difference between the AuthenticationMethod and the
> >LoginHandler?
>
> A method is the string used in SAML to identify the type of
> authentication, and the LoginHandler is the IdP plugin that handles the
> login process.
>
> >2) Are the AuthenticationMethod and LoginHandler tightly coupled?
>
> In practice it's impossible to avoid coupling them with most of the
> built-in handlers. They're not coupled in the design, but the handlers all
> have to be hardwired to return a specific method string, making the
> ability to associate more than one with the handler brittle and unworkable
> in practice unless you build a custom login handler or use External.
>
> >According to my understanding the SP will prepare a SAML request to the
> >IDP. In the SAML request "AuthnContextClassRef" contains what kind of
> >Authentication method which it follows (PasswordProtectedTransport).
>
> It can. That will make the interaction much more complex and should only
> be done if you really need to, and you should almost never request
> Password as a method. That's basically telling an IdP that it shouldn't do
> anything better even if it can, which is a silly thing to do unless you're
> in a scenario where you're being billed for stronger methods and don't
> want to incur the cost.
>
> >Now below are few more questions which I have got:
> >
> >1) Will the IDP be able to support multiple LoginHandlers?
>
> Sometimes, it depends on what you're doing and which ones and what they're
> supposed to do.
>
> >2) Because I want to use the X.509 authentication method with
> >ExternalAuthentication, How can it be done with ExternalAuthentication?
>
> I don't know what you're asking. External is entirely your code, it can do
> whatever it's programmed to do. If you implement it correctly, you can
> make it handle any number of methods. You're supposed to signal the method
> used in a request attribute, I believe.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150529/7c21e6a5/attachment.html>
More information about the users
mailing list