Delegating Shib IDP authentication to an external CGI

Cantor, Scott cantor.2 at
Mon May 22 09:28:58 EDT 2017

> From what I can tell, checking two Windows DCs for passwords should not be
> a problem, nor the X509 cert, nor Duo.  I may need to write a flow to talk to
> our password verifying web app.  If something already exists, then maybe I
> could get the app modified to work with an existing module.  The CGI
> connects directly to the web app, this is not a browser redirect.
> Perhaps I also need to explore JAAS.

You certainly have a perfect storm there to work with. All of it is doable but you would have to develop the right scripting rules in the MFA method to orchestrate all of it, and you'll have to learn a lot to get to that point.

As for the "task enforcement" part, that's an interceptor in the IdP, it doesn't belong in the login flow.

-- Scott

More information about the users mailing list