Understanding on the Authentication methods and the LoginHandlers

Cantor, Scott cantor.2 at osu.edu
Fri May 29 10:00:09 EDT 2015

On 5/29/15, 4:02 AM, "users on behalf of sarath upadrista" <users-bounces at shibboleth.net on behalf of upadrista.sarath at gmail.com> wrote:

>      -  Could you please explain in detail, what is meant by the Type of authentication. Is it the process, on how to send the SAML response back to SP?

No, please refer to the specification yourself. See AuthenticationMethod in SAML 1 and AuthnContext and AuthnContextClassRef in SAML 2. That's what it means. It means anything you want it to mean, basically, it's an abstraction to identify something for shared understanding. In practice it usually means specific login technologies.

>      - Or How the principal has to be sent in the SAML response (ie.., the level of encoding)?

No, not in any way.

>What will the IDP do, If I send the authentication method as PasswordProtectedTransport?

It will run whatever LoginHandler is configured to support that method string in handler.xml

>  - If I doesn't send any authentication method, then How will the IDP know for that SP what authentication method it has to choose based on the SAML request to IDP?

The SP in SAML doesn't need to specify that, it's up to the IdP to authenticate the user. You should not be asking for anything at the SP unless you have a good reason for doing that.

>- Can you please explain in brief, with built in LoginHandler and authentication method How can I use multiple LoginHandlers at a stretch for each SAML request from SP?


See Authentication Method Selection

>- In this case, if I am using the ExternalAuthn type LoginHandler, it will do the authentication from our own Authentication System( basically it will make a rest call)  and send the principal, subject etc back to the AunticationEngine servlet to prepare
> the SAML response. So, now If I want to do the X.509 authentication method, what can be done. Please guide me.

Then you need code to pick up the certificate from the Java servlet attribute used for the certificate from the client and decide what to do with it. If you want to write the code to do that, you can do so. It is not my role to teach you how, that's not a Shibboleth question. If you want to use the contributed handler for that from SWITCH that already exists, it's on the contributions page.

Or you could stop using old code, use the current IdP version, and it comes with some X.509 login support options.

>- What will the X.509 authentication method be doing?.

An X.509 authentication handler is something that evaluates the certificate from the client and decides what to do with it, how to extract a subject identity from it, etc.

>- Will it basically tell How to sign the prncipal ?

I don't know what that means. Sign what principal? Sign how? Why? I think you're confused about SAML perhaps, but this question doesn't make any sense.

>Requirement in detail:

This is not a consulting service.

>I am using the ExternalAuthn type LoginHandler with PasswordProtectedTransport as authentication method.

Then your External code had better be handling password-based login or you'd be lying about what you're doing to anybody that received an assertion with that particular method in it.

> I am using ExternalAuthn because we have over own Authentication system which can be requested using the rest call. This will be done by our ExternalAuthn LoginHandler.

And that is not X.509 authentication either. REST call with what? How are you *doing* the authentication? You still won't say.

>- In the current system we are not using any Certificates for the SAML messages.
>- How can it be done?

I have no earthly idea what you're talking about, but it has nothing to do with authentication methods, login handlers, or anything else you asked.

-- Scott

More information about the users mailing list