Shib IDP 3.3, external authn with CGI

Losen, Stephen C. (scl) scl at
Thu May 25 15:59:24 EDT 2017

Hi folks,

I recently asked the list about re-implementing a login CGI directly in the IDP or else use external auth to redirect to the CGI.

I looked at the wiki documentation for external auth and the source for the RemoteUser servlet, which uses external auth.  But RemoteUser does not need to redirect the browser anywhere.

If I use external auth, it looks like I need to write a servlet that does this:

servlet looks for key and principal name in the HTTP request.

if not found, then the IDP redirected the browser to the servlet
   key =  ExternalAuthentication.startExternalAuthentication(...)
   redirect the browser to the login CGI and include the key

(User interacts with login CGI, browser and CGI preserve the key, CGI redirects the browser back to the servlet, browser includes the key and principal name in the request).

else if the servlet finds the key and principal name in the request, then the CGI has redirected the browser back to the servlet, so the servlet does this:

username = principal name from the HTTP request

httpRequest.setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, username);

ExternalAuthentication.finishExternalAuthentication(key, ...)

Is this sequence of events correct?

Is it possible to redirect to the CGI before calling ExternalAuthentication.startExternalAuthentication and call it when the browser comes back from the CGI ?  I suspect not, otherwise what purpose does the key serve?

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at    434-924-0640

More information about the users mailing list