External SAML authentication

Peter Schober peter.schober at univie.ac.at
Tue Apr 11 08:15:51 EDT 2017

Ciao Marco,

* Marco Naimoli <marco.naimoli at unipd.it> [2017-04-10 16:26]:
> You can find the project here:
> https://github.com/bpnx/external-idp-autentication

I don't know about the soundness of some of the impementation details
(e.g. the flows and use of MFA) but a few minor comments:

By connecting via AJP from httpd to the Java servlet container hosting
the Shib IDP (using mod_proxy_ajp on the httpd side) you can rid
yourself of any HTTP Request Headers and rely solely on environment
variables (using request.getRemoteUser() and request.getAttribute() on
the Java side). That also takes care of the security caveat in the
current text (the one in ALL CAPS), but obviouly requires AJP support
in the container (that Tomcat has, but Jetty lacks, AFAIK.)

Also it seems your resolver configuration is specific to an IDPv3 IDP
that has been upgraded from IDPv2, i.e., it's using the IDPv2 syntax
and XML namespaces. As such this wouldn't work in a newly installed
IDPv3 without changes (removing the "resolver", "ad" and "enc"
prefixes, and changing the type from "Script" to
So you might want to call out that fact in the text, and/or provide an
example that works for "clean" IDPv3 installs, too.

The writeup also could benefit from detailing the modifications done
to login.vm, IMO, and possibly also provide details on the EDS
modifications mentioned.

Best regards,

More information about the users mailing list