bypassing some authN fails?
Daniel Fisher
dfisher at vt.edu
Fri May 26 12:57:00 EDT 2017
On Thu, May 25, 2017 at 5:16 PM, db at alaska.edu <dabantz at alaska.edu> wrote:
> Preferable to just ignore that specific account expired state; that
> results in desired effect without having to craft a tool for a service IAM
> doesn't run then asking user to do something. Also has less impact on the
> services run by others that "use" expired flag for their access control.
>
The authentication response result in the library is immutable, so you'll
have to create a wrapper class.
Here's a gist of what I think that class would look like:
https://gist.github.com/dfish3r/66bd81ed1294780e00b0a9177fa97ec9
Compile your class, add it to the IDP war, then
update ldap-authn-config.xml to use the wrapper class.
Now do some serious testing, you're off the beaten path and there may be
some side effects that I'm not thinking of.
In particular, you may need to also change the ResultCode to SUCCESS to
complete the lie for any flows that rely on account state.
--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170526/46fa6be6/attachment.html>
More information about the users
mailing list