How to configure multiple RemoteUser Auth URLs on IDP v3 ?

Losen, Stephen C. (scl) scl at eservices.virginia.edu
Wed Apr 20 18:32:36 EDT 2016


Hi folks

Most SPs use our "vanilla" SSO which is username/password and we use the IDP RemoteUser auth method to obtain the username.

However, we have a few internal SPs that need to use an "enhanced" version of our SSO authentication method (username/password and answer to personal security question. 

Here is how I set up "enhanced" login on IDP v2 in handler.xml

<ph:LoginHandler xsi:type="ph:RemoteUser"
       protectedServletPath="/Authn/EnhancedNetBadge">

  <ph:AuthenticationMethod>
     urn:oasis:names:tc:SAML:2.0:ac:classes:EnhancedNetBadge
  </ph:AuthenticationMethod>
</ph:LoginHandler>

We configured the app on the SP to request the AC class
urn:oasis:names:tc:SAML:2.0:ac:classes:EnhancedNetBadge

We use apache httpd as a reverse proxy to the v2 IDP and we configured httpd with 
<Location /idp/Authn/EnhancedNetBadge> to trigger our enhanced SSO login method.
(/idp/Authn/RemoteUser is configured for our "vanilla" SSO.) Might be a hack, but it works.

I've been reading the IDP v3 wiki and am having trouble figuring out how to do this.  Obviously I need to configure webapp/WEB-INF/web.xml but I don't think I can specify the AC class in that file.  Maybe somewhere under conf/authn ?

If there is some other way to do this that does not involve AC class then I'm all ears.  Perhaps something in relying-party.xml so that when an auth request comes from a particular SP, the IDP redirects to the enhanced login URL.

Sorry if the answer is right there in the wiki.  If this is true, then please provide the URL of the wiki page.  Thanks,

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu    434-924-0640



More information about the users mailing list