Delegating Shib IDP authentication to an external CGI

Cantor, Scott cantor.2 at
Fri May 19 10:00:11 EDT 2017

On 5/19/17, 7:54 AM, "users on behalf of Losen, Stephen C. (scl)" <users-bounces at on behalf of scl at> wrote:

> The IDP would redirect the browser to the CGI, which would interact with the user and redirect the browser back to the IDP with
> the principal name and proof such as a digital signature.

I don't think that would be "easier", it's a good recipe for a security hole if you don't know enough about what you're doing. But it is the only way to implement it without Java alone because there's no inherently secure way to communicate the identity back into the code.

> It looks like I should use "authn/External", so I need to write a servlet that redirects the browser to the CGI and later receives the
> principal name from the browser when the CGI redirects it back to the IDP.

That step is a SSO protocol, one you would have to invent if you don't deploy something. You'd be better off staying on pubcookie I suspect. Even if it is fully left to your own devices to support, at least it's a known-secure approach at present.

> I have programming experience (C, ruby, perl) but don't know much java.
> I've never used Spring or written a servlet, but I'm willing to learn enough to accomplish this.  Example code would help a lot.

Some Java servlets that implement the external login interface are included in the IdP, see [1][2].

> Is this a reasonable approach?  Or is there something much better or easier that I have overlooked?

I think if I were you I would dump the CGI personally, but not knowing what it does that's difficult to assess.

-- Scott

[1] net.shibboleth.idp.authn.impl.RemoteUserAuthServlet
[2]  net.shibboleth.idp.authn.impl.X509AuthServlet

More information about the users mailing list