Delegating Shib IDP authentication to an external CGI

Jim Fox fox at
Mon May 22 14:13:59 EDT 2017

>> From what I can tell, checking two Windows DCs for passwords should not be
>> a problem, nor the X509 cert, nor Duo.  I may need to write a flow to talk to
>> our password verifying web app.  If something already exists, then maybe I
>> could get the app modified to work with an existing module.  The CGI
>> connects directly to the web app, this is not a browser redirect.
>> Perhaps I also need to explore JAAS.
> You certainly have a perfect storm there to work with. All of it is doable but you would have to develop the right scripting rules in the MFA method to orchestrate all of it, and you'll have to learn a lot to get to that point.
> As for the "task enforcement" part, that's an interceptor in the IdP, it doesn't belong in the login flow.

Adding to that:

1) It is quite easy to write a REST capable authentication verifier bean and incorporate it into the MFA flow.
2) It is a whole lot more enjoyable to code MFA flows than it is to work on pubcookie.
3) We had some web clients, iSomethings, that could not negotiate the external flow.  They work fine with a native MFA flow.
4) For your pubcookie clients: while it is trivially easy to clusterize mod_pubcookie, far as I know mod_shib still requires a short bit of session host affinity.


More information about the users mailing list