Delegating Shib IDP authentication to an external CGI

Losen, Stephen C. (scl) scl at
Fri May 19 07:54:35 EDT 2017

Hi folks,

We are currently using RemoteUser for IDP authentication.  Unfortunately, the underlying SSO is Pubcookie, which has not been supported for years.  We want to eliminate our IDP's dependence on Pubcookie, but we have a rather elaborate Pubcookie login CGI.  Rather than completely re-implement this CGI in the IDP itself using Spring and Web Flows, it may be easier (for me) to rip out the Pubcookie bits in the CGI and pass the principal name to the IDP some other way.  The IDP would redirect the browser to the CGI, which would interact with the user and redirect the browser back to the IDP with the principal name and proof such as a digital signature.

It looks like I should use "authn/External", so I need to write a servlet that redirects the browser to the CGI and later receives the principal name from the browser when the CGI redirects it back to the IDP. I have programming experience (C, ruby, perl) but don't know much java.
I've never used Spring or written a servlet, but I'm willing to learn enough to accomplish this.  Example code would help a lot.

Is this a reasonable approach?  Or is there something much better or easier that I have overlooked?

Thanks for any advice or suggestions you may have.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at    434-924-0640

More information about the users mailing list